(Citizen Lab) This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called “The Right to Fight” contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past, and had recently published a series of articles based on leaked emails involving members of the UAE government. Circumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist’s Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, “UAE” in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2019-03-13 by Vasily Berdnikov from Kaspersky Labs
2019 by MITRE ATT&CK from MITRE
2019 by Cyber Operations Tracker from Council on Foreign Relations
2016-05-29 by Bill Marczak from CitizenLab
Actor: Stealth Falcon, FruityArmor
Names: Stealth Falcon, FruityArmor, Project Raven
Country: UAE
Motivation: Information theft and espionage
First-seen: 2012
Description: (Citizen Lab) This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called “The Right to Fight” contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past, and had recently published a series of articles based on leaked emails involving members of the UAE government. Circumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist’s Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, “UAE” in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity.
Observed-sectors: Civil society groups and Emirati journalists, activists and dissidents
Observed-countries: Netherlands
Observed-countries: Saudi Arabia
Observed-countries: Thailand
Observed-countries: UAE
Observed-countries: UK
Tools: StealthFalcon
Tools: 0-day exploits
Operations: 2014
Operations: Ex-NSA operatives reveal how they helped spy on targets for the Arab monarchy — dissidents, rival leaders and journalists. https://www.reuters.com/investigates/special-report/usa-spying-raven/
Operations: 2016-10
Operations: Windows zero-day exploit used in targeted attacks by FruityArmor APT https://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/
Operations: 2018-10
Operations: Zero-day exploit (CVE-2018-8453) used in targeted attacks https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/
Operations: 2018-10
Operations: Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611) https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/
Operations: 2019-09
Operations: ESET researchers discovered a backdoor linked to malware used by the Stealth Falcon group, an operator of targeted spyware attacks against journalists, activists and dissidents in the Middle East. https://www.welivesecurity.com/2019/09/09/backdoor-stealth-falcon-group/
Information: https://citizenlab.ca/2016/05/stealth-falcon/
Mitre-attack: https://attack.mitre.org/groups/G0038/
Last-card-change: 2020-04-22
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059 COMMAND AND SCRIPTING INTERPRETER stealth falcon malware uses wmi to script data collection and command execution on the victim. T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL stealth falcon malware uses powershell commands to perform various functions, including gathering system information via wmi and executing commands from its c2 server. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK stealth falcon malware creates a scheduled task entitled "ie web cache" to execute a malicious file hourly. T1047 WINDOWS MANAGEMENT INSTRUMENTATION stealth falcon malware gathers system information via windows management instrumentation (wmi). | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK stealth falcon malware creates a scheduled task entitled "ie web cache" to execute a malicious file hourly. | T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK stealth falcon malware creates a scheduled task entitled "ie web cache" to execute a malicious file hourly. | T1555 CREDENTIALS FROM PASSWORD STORES stealth falcon malware gathers passwords from multiple sources, including windows credential vault and outlook. T1555.003 CREDENTIALS FROM PASSWORD STORES : CREDENTIALS FROM WEB BROWSERS stealth falcon malware gathers passwords from multiple sources, including internet explorer, firefox, and chrome. T1555.004 CREDENTIALS FROM PASSWORD STORES : WINDOWS CREDENTIAL MANAGER stealth falcon malware gathers passwords from the windows credential vault. | T1012 QUERY REGISTRY stealth falcon malware attempts to determine the installed version of .net by querying the registry. T1082 SYSTEM INFORMATION DISCOVERY stealth falcon malware gathers system information via wmi, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY stealth falcon malware gathers the address resolution protocol (arp) table from the victim. T1033 SYSTEM OWNER/USER DISCOVERY stealth falcon malware gathers the registered user and primary owner name via wmi. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS stealth falcon malware communicates with its c2 server via https. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY stealth falcon malware encrypts c2 traffic using rc4 with a hard-coded key. | T1041 EXFILTRATION OVER C2 CHANNEL after data is collected by stealth falcon malware, it is exfiltrated over the existing c2 channel. |