New Modular Deadglyph Backdoor Used in a Government Attack

Deadglyph infection method

• While the exact delivery method is currently unknown, it is suspected that a malicious x64 executable, possibly a program installer, is used to propagate Deadglyph. 
• The malicious executable, in turn, downloads a .NET-based component called Orchestrator, which communicates with the C2 server for further malicious commands. 
• This enables the malware to engage in a series of evasive maneuvers to stay under the radar. 
• If the backdoor fails to establish communications with the C2 server after a determined period, it triggers a self-removal mechanism to prevent its analysis.

Capabilities

• Deadglyph is modular in nature, means it allows threat actors to create or modify modules tailored to their needs..
• ESET believes that the backdoor includes nine to fourteen different modules, however, it could obtain only three: a process creator, an info collector, and a file reader.
• Besides this, the malware boasts a range of anti-evasion mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns.

Too many malware backdoors lately

• Recently, the Chinese hacking group Earth Lusca was attributed to a new Linux backdoor, SprySOCKS, that targeted multiple government organizations in several countries. 
• In another incident, a threat actor employed two new backdoors—HTTPSnoop and PipeSnoop—in a cyberespionage campaign targeting Middle East-based telecommunications organizations. These backdoors masqueraded as popular software products and used extensive anti-detection mechanisms to stay under the radar. 
• Furthermore, a new Sandman APT group was found using a modular backdoor named LuaDream to target telecom service providers in Europe and Asia. The malware utilizes the LuaJIT platform to propagate on targeted organizations’ systems.

Conclusion