Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | exfiltration | Exfiltration Over Command and Control Channel | After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel. | User interface, Process monitoring |
| Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | Stealth Falcon malware gathers data from the local victim system. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | Stealth Falcon malware uses PowerShell and WMI to script data collection and command execution on the victim. | Process monitoring, File monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | Process Discovery | Stealth Falcon malware gathers a list of running processes. | Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | Stealth Falcon malware communicates with its C2 server via HTTPS. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | discovery | System Network Configuration Discovery | Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | System Owner/User Discovery | Stealth Falcon malware gathers the registered user and primary owner name via WMI. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
| Windows | execution | PowerShell | Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Windows | execution | Windows Management Instrumentation | Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI). | Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters |
| Windows | discovery | Query Registry | Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry. | Windows Registry, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Standard Cryptographic Protocol | Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key. | Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection |