Representational Image
Representational ImageReuters

Security Software developer Kaspersky Lab's Global Research and Analysis team has discovered a new cyber espionage group targeting multiple high profile organisations and individuals from Middle East countries.

Dubbed as Desert Falcons, it is the first Arabic group to develop and run full-scale cyber-espionage operations.

According to Kaspersky, the campaign has been active for at least two years. The Desert Falcons started developing and building their operation in 2011, with their main campaign and real infection beginning in 2013. The peak of their activity was registered in the beginning of 2015.

The analysts further found the vast majority of targets are based in Egypt, Palestine, Israel and Jordan. Apart from the Middle East countries focused on as initial targets, the Desert Falcons are also hunting out of the territory. In total, they have been able to attack more than 3,000 victims in 50+ countries globally, with over one million files stolen.

The attackers use proprietary malicious tools for attacks on Windows PCs and Android-based devices. Kaspersky Lab experts asserted that they have enough evidences to believe that the attackers behind the Desert Falcons are native Arabic speakers.

The list of targeted victims include military and government organisations, leading media outlets, research and education institutions, energy and utility providers, activists and political leaders, physical security companies and other targets in possession of important geopolitical information.

Although the main focus of Desert Falcons' activity appears to be in Egypt, Palestine, Israel and Jordan, multiple victims were also found in Qatar, Saudi Arabia, UAE, Algeria, Lebanon, Norway, Turkey, Sweden, France, the USA, Russia and other countries.

Methods Used

The main method used by the Falcons to deliver the malicious payload is spear phishing via emails, social networking posts and chat messages. Phishing messages contained malicious files or a link to malicious files camouflaged as legitimate documents or applications. Desert Falcons use several techniques to entice victims into running the malicious files.

One of the most specific techniques is the so-called right-to-left extension override trick. This method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name. Using this technique, malicious files (.exe, .scr) will look like a harmless document or pdf file; and even careful users with good technical knowledge could be tricked into running these files.

After the successful infection of a victim, Desert Falcons would use one of two different Backdoor options: the main Desert Falcons' Trojan or the DHS Backdoor, which both appear to have been developed from scratch and are in continuous development. Kaspersky Lab experts were able to identify a total of more than 100 malware samples used by the group in their attacks.

The malicious tools used have full Backdoor functionality, including the ability to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim's Hard Disk or connected USB devices, steal passwords stored in the system registry (Internet Explorer and live Messenger) and make audio recordings. Kaspersky Lab experts were also able to find traces of activity of a malware which appears to be an Android backdoor capable of stealing mobile calls and SMS logs.

Using these tools the Desert Falcons launched and managed at least three different malicious campaigns targeting different set of victims in different countries.