Stealth Falcon group uses custom spyware, fake journalists to target UAE dissidents

Meet Stealth Falcon, a sophisticated and likely state-sponsored cyberespionage group, that is hell bent on conducting targeted spyware attacks “against Emriati journalists, activists and dissidents.”

The digital attacks started in 2012 and are still being carried out against United Arab Emirates (UAE) dissidents. It’s not “just” spying with custom spyware that leads to dissidents being “arbitrarily detained;” once identified as criticizing the authorities, UAE dissidents can be forcibly disappeared.

“The UAE has gotten much more sophisticated since we first caught them using Hacking Team software in 2012,” Bill Marczak, a senior researcher at Citizen Lab, told the New York Times. “They’ve clearly upped their game. They’re not on the level of the United States or the Russians, but they’re clearly moving up the chain.”

Citizen Lab Director Ronald Deibert called Stealth Falcon “an extensive and highly elaborate targeted digital attack campaign.” Citizen Lab researchers used a “combination of reverse engineering, network scanning and other highly intricate detective methods” to unearth “a vast campaign of digital attacks aimed at UAE dissidents, organized primarily through fake Twitter accounts, phony websites and spoofed emails. The attacks appear to have had extremely serious consequences: many dissidents targeted, and presumably entrapped by Stealth Falcon, disappeared into the clutches of UAE authorities and were reportedly tortured.”

How Stealth Falcon pulled off its targeted attacks

You really should read “Be Calm and (Don’t) Enable Macros: Malware Sent to UK Journalist Exposes New Threat Actor Targeting UAE Dissidents.” The excellent and in-depth new report by Citizen Lab explains how Stealth Falcon used a malicious URL shortening site, booby-trapped emails from a fictitious organization called “The Right to Fight,” social engineering, and baited tweets by fake journalist “Andrew Dwight” for the targeted attacks.

“If a user clicked on a URL shortened by Stealth Falcon operators, the site profiles the software on a user’s computer, perhaps for future exploitation, before redirecting the user to a benign website containing bait content.” Citizen Lab identified “402 instances of bait content” that were sent by Stealth Falcon.

One of those URLs was sent to Rori Donaghy, a U.K. journalist and founder of the Emirates Center for Human Rights. Citizen Lab tracked the spyware “to a network of 67 active command and control (C2) servers, suggesting broader use of the spyware, perhaps by the same or other operators.”

The attack on Donaghy started with a November 2015 email from “The Right to Fight,” asking him to be on a human rights panel. He was suspicious and sent it to the researchers. Before being redirected from the link included in the email, JavaScript would profile the target’s computer.

When Donaghy responded per the researchers’ instructions, “The Right to Fight” sent another, asking him to enable macros. That email was flagged as malicious, so he asked for another and received a link to a password-protect site to download organizational information.

If the victim enabled macros, then he or she would see a document.

The researchers wrote:

The document attempts to execute code on the recipient’s computer, using a macro. The macro passes a Base64-encoded command to Windows PowerShell, which gathers system information via Windows Management Instrumentation (WMI), and attempts to determine the installed version of .NET by querying the registry.

Browser profiling

Citizen Lab suggested Stealth Falcon would “profile a user’s system, perhaps to gather intelligence about potentially exploitable vulnerabilities.”

• The profiling actions included attempting “to get the versions of Flash, Shockwave, Java, RealPlayer, Windows Media Player and Microsoft Office.”
• If the browser was not Internet Explorer, then it attempted to get a list of enabled plugins.
• It also checked for an exploit in older Tor Browser versions and attempted to deanonymize the user.
• For all browsers, it captured the user agent, cookies, OS, size of the browser window and time zone.
• For Windows browsers, it would attempt to get the specific antivirus program installed on the machine. That code was borrowed from JS-Recon, a tool that was presented at BlackHat Abu Dhabi in 2010.

Citizen Lab found some similarities to the Empire backdoor, but no shared code, and suspects “the backdoor is custom-made.”

Another attempt to entrap Donaghy and others was made by fake journalist “Andrew Dwight;” the Twitter profile for the same persona had tweeted to three UAE dissident accounts. One of those dissidents was “a blogger who was arrested for criticizing the UAE.” One arrest followed a tweet, another followed talking to CNN, and Obaid Yousef Al-Zaabi is believed to still be imprisoned.

Those Stealth Falcon attacks may be potentially related to others such as an Instagram attack, a fake file-sharing site and fake web forums.

The researchers concluded:

Stealth Falcon appears to be a new, state-sponsored threat actor. As an operator, Stealth Falcon is distinguished by well-informed and sophisticated social engineering, combined with moderately sophisticated technical attempts to deanonymize and monitor political targets working on the UAE, and relatively simple malcode.

Citizen Lab has “no smoking gun,” but it did collect circumstantial evidence that Stealth Falcon is linked to the UAE government. That circumstantial evidence “points to an alignment of interests between Stealth Falcon and the UAE Security Forces.”

Citizen Lab hopes other researchers will work to uncover more cases and asked anyone who received a link to “aax.me” or an email from “Andrew Dwight” to contact them.