Stealth Falcon
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).[1] |
|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.[1] |
|
| .003 | Credentials from Web Browsers |
Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.[1] |
||
| .004 | Windows Credential Manager |
Stealth Falcon malware gathers passwords from the Windows Credential Vault.[1] |
||
| Enterprise | T1005 | 从本地系统获取数据 |
Stealth Falcon malware gathers data from the local victim system.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.[1] |
| Enterprise | T1059 | 命令与脚本解释器 |
Stealth Falcon malware uses WMI to script data collection and command execution on the victim.[1] |
|
| .001 | PowerShell |
Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[1] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Stealth Falcon malware communicates with its C2 server via HTTPS.[1] |
| Enterprise | T1012 | 查询注册表 |
Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Stealth Falcon malware gathers the registered user and primary owner name via WMI.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.[1] |
|
| Enterprise | T1057 | 进程发现 |
Stealth Falcon malware gathers a list of running processes.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Stealth Falcon malware creates a scheduled task entitled "IE Web Cache" to execute a malicious file hourly.[1] |