Windows Update Abused To Deliver The Stealth Falcon Malware
CYBER NEWS

Windows Update Abused To Deliver The Stealth Falcon Malware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

The Windows Update mechanisms through the Windows Background Intelligent Transfer Service (BITS) has been found to deliver the dangerous Stealth Falcon malware. This is the default any of applying updates to the Microsoft Windows operating system. A complex strategy is used to penetrate target networks.




Stealth Falcon Malware Delivered Via Abused Windows Update Mechanism

An experienced hacker collective is actively infecting computer victims by abusing the main way of applying Microsoft Windows updates, this is done by a process called Windows Background Intelligent Transfer Service (BITS), the end goal is to deliver a dangerous threat called Steath Falcon. The complex hacking strategy used by the attackers allows them to hide network traffic that originates from the compromised devices and is directed to the hacker-controlled servers. What is known about the hackers is that they have been active since 2012 and are known for having orchestrated several state-sponsored attacks against dissidents in the United Arab Emirate.

What is distinct about this particular attack is that the masked traffic can easily pass through firewalls and intrusion detection services. The BITS mechanism which is mainly used for delivering Windows Update patches is also used with other applications, Mozilla is also adopting it for their Firefox browser. By default it is whitelisted by networks rules and is trusted as a safe traffic. At the moment the exact mechanism is not known however there are a few possible infiltration tactics:

  • Automated Toolkits — By using hacking software and entering in popular exploits the criminals can automate the search for vulnerable hosts. Whenever one of them is encountered it will be infected and the main scripts will deliver the Stealth Falcon malware.
  • Phishing Strategies — The criminals can rely on scam e-mail messages and faux websites that pose as being legitimate landing pages.
  • Installers & Payload Carriers — A very popular mechanism is to create malicious installers of popular applications which are often used by end users. This is usually done by taking the original installers and modifying them with the malicious code. Payload carriers can be any file that can carry the infection scripts and commands, commonly the hackers rely on documents cross all popular formats: databases, text files, spreadsheets and presentations.
Related: TRemove GootKit Trojan Horse

Stealth Falcon Malware Capabilities

As soon as the necessary files are dropped on the target computer the associated Stealth Falcon will start its built-in mechanism. The main virus code is carried in a DLL file which will set itself to automatically start upon user login. It acts as a standard Trojan backdoor being able to hookup to running processes — both system and user application ones. The list of commands that can be executed by the main engine are the following:

  • CFG — Update configuration data
  • K — Uninstall itself
  • RC — Execute the specified application
  • DL — Write downloaded data to file
  • CF — Prepare a file for exfiltration
  • CFW — Exfiltrate and delete files

The Stealth Falcon malware can access, edit and store its own values in the Windows Registry. Any manipulation of existing strings can lead to severe performance issues, errors and data loss. The malware can also scan the system and ind out if there are any security applications and services running. Ones that are found will be bypassed or entirely removed. Exhibiting typical Trojan features the Stealth Falcon malware will also report its progress automatically to a remote hacker-controlled server using a secure connection. This allows the hackers to steal user data, take over control of their systems and also deploy other threats.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...