Win32/StealthFalcon Does More than Just Steal Files

Win32/StealthFalcon, named after the sophisticated Stealth Falcon state-sponsored cyber espionage hacker group, is a malware that sends collected stolen data to its remote command-and-control servers via Windows Background Intelligent Transfer Service (BITS). BITS is commonly used in software updates for Windows 10, messengers, and other background applications. Win32/StealthFalcon can also be used by attackers to further deploy more malicious tools and update its configuration.

"Compared with traditional communication via API functions, the BITS mechanism is exposed through a COM interface and thus harder for a security product to detect," state security researchers at cyber-security firm ESET. "The transfer resumes automatically after being interrupted for reasons like a network outage, the user logging out, or a system reboot."

The Stealth Falcon group has been active since 2012 and usually targets journalists, activists, and dissidents with spyware in the Middle East. Their Win 32/StealthFalcon not only exports the stolen data, it encrypts it and then deletes all logs and collected files after rewriting them. This prevents recovery of the deleted data and tracing thru forensic investigations. ESET researchers report that the malware shares its C&C servers and code base with a PowerShell-based backdoor attributed to the Stealth Falcon group and tracked by the Citizen Lab in 2016.

Researchers went on to say, "The Win32/StealthFalcon backdoor, which appears to have been created in 2015, allows the attacker to control the compromised computer remotely. We have seen a small number of targets in UAE, Saudi Arabia, Thailand, and the Netherlands; in the latter case, the target was a diplomatic mission of a Middle Eastern country."