Filip Jurcacko

Deadglyph: Covertly preying over Middle Eastern skies

The Middle East has been known for years to be a fertile land for APTs. During our routine monitoring of suspicious activities in government entities of the region, we stumbled upon a very sophisticated and unknown backdoor that we have named Deadglyph.

Deadglyph’s main components are protected with encryption using a machine-specific key, which usually prevents further analysis. Its architecture is unusual as it consists of a native x64 and .NET component that cooperate.

The traditional backdoor commands are not implemented in the Deadglyph binary; instead, they are dynamically received from its C&C server in the form of additional modules that exist in memory only briefly, to perform the commands. Without the modules, the full capabilities of the backdoor are unknown. Deadglyph also features a number of capabilities to avoid being detected, including the ability to uninstall itself, preventing discovery.

After initial investigation, we could not attribute the Deadglyph backdoor to an existing threat actor, but later we found another piece of the puzzle – a multistage shellcode downloader that pointed us in the right direction.

Finally, we will describe how we pivoted on various indicators to arrive at attributing Deadglyph backdoor to an existing threat actor, active in the Middle East for years.

Filip Jurčacko is a Malware Researcher, working at ESET since 2015. Filip focuses on hunting and analyzing sophisticated threats. His research results in technical reports comprising part of ESET’s threat intelligence services, and improvements to detection capabilities. In his free time, he likes to improve skills in CTF competitions. He holds a master’s degree in software engineering from the Slovak University of Technology in Bratislava.