February 19, 2015
Kaspersky Lab’s Global Research and Analysis Team discovered ‘Desert Falcons’ – a cyber espionage group targeting multiple high-profile organizations and individuals from Middle Eastern countries.
The list of targeted victims includes Military and Government organizations – especially employees responsible for the fight against money laundering as well as the health sector and the economy; main media; research and education institutions; energy and utility providers; activists and political leaders; physical security companies; and other targets in possession of important geopolitical information. In total, Kaspersky Lab experts have been able to find signs of more than 3,000 victims in more than 50 countries, Y more than a million files stolen. Although the main target of Desert Falcons activity appears to be focused on countries such as Egypt, Palestine, Israel, and Jordan, multiple victims have also been found in Qatar, Saudi Arabia, the United Arab Emirates, Algeria, Lebanon, Norway, Turkey, Sweden, France. , The United States, Russia and other countries.
Kaspersky Lab experts consider this actor as the first Arab group of cyber mercenaries to develop and execute large-scale cyber espionage operations.
- The campaign has been active for at least two years. Desert Falcons began to develop and build its operation in 2011, and its main campaign and true beginning of infection in 2013. The peak of its activity was recorded in early 2015;
- The vast majority of its targets are in Egypt, Palestine, Israel and Jordan;
- In addition to the Middle Eastern countries on which they focused their initial targets, Desert Falcons are also hunting outside the territory. In sum, it has been able to attack more than 3,000 victims in more than 50 countries around the world, with more than a million files stolen.
- Attackers use proprietary malicious tools to attack Windows computers and Android devices;
- Kaspersky Lab experts have multiple reasons to believe that the attackers behind Desert Falcons are mother tongue Arabic.
Distribute, Infect, Spy
The main method used by Falcons to distribute the malicious payload is spearphishing through emails, social media messages, and chat messages. The phishing messages contained malicious files (or a link to malicious files) disguising themselves as legitimate documents or applications. Desert Falcons uses many techniques to entice victims to execute malicious files. One of the more specific techniques is the trick of ignoring the so-called right-to-left extension.
This method takes advantage of a special character in Unicode to reverse the order of the characters in a file name, hiding the dangerous file extension in the middle of the file name and putting a harmless-looking fake file extension towards the end of the file name . Using this technique, malicious files (.exe, .scr) will look like a harmless document or PDF file; and even careful users with good technical knowledge could be tricked into running those files. For example, a file with the ending.fdp.scr will appear .rcs.pdf.
After successful infection of a victim, Desert Falcons will use one of two different Backdoors: the main Desert Falcons Trojan or the DHS Backdoor, both of which appear to have been developed from scratch and are in continuous development. Kaspersky Lab experts were able to identify a total of more than 100 malware samples used by the group in its attacks.
The malicious tools used have the full functionality of Backdoor, including the ability to take screenshots, record keystrokes, upload and download files, collect information about all Word and Excel files on the victim’s hard drive, or from connected USB devices, steal passwords stored in the system registry (Internet Explorer and live Messenger) as well as make audio recordings. Kaspersky Lab experts were also able to find traces of activity from malware that appears to be an Android Backdoor capable of stealing mobile calls and SMS logs.
Using these tools, Desert Falcons launched and managed at least three different malicious campaigns targeting specific groups of victims in various countries.
A group of Falcons on the hunt for secrets
Kaspersky Lab researchers estimate that at least 30 people, on three teams, spread across different countries, are operating the Desert Falcons malware campaigns.
“The individuals behind this threat are highly determined, active and with a lot of cultural, political and technical knowledge. Using only phishing emails, social engineering and homemade tools and Back Doors, the Desert Falcons were able to infect hundreds of important and sensitive victims in the Middle East region through their computer systems or mobile devices, and extract confidential data. We anticipate that this operation will continue to develop more Trojans and use more advanced techniques. With sufficient funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks, ”he said. Dmitry Bestuzhev, Director of the Analysis and Research Team for Latin America at Kaspersky Lab.
[+] Videos de nuestro canal de YouTube