Desert Falcon Cyber Espionage Group Has Attacked 3,000 Victims In 50 Countries

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Follow on:

World’s first Arabic cyber espionage team, dubbed Desert Falcons, has been targeting ‘important people’ with increasing determination

A cyber espionage group that has been attacking an array of high profile organisations and individuals from Middle East countries has been discovered.

The group, dubbed Desert Falcons, was spotted by security researchers at Kaspersky Lab who believe it to be the first known Arabic group of cyber mercenaries to develop and run full-scale cyber-espionage operations.

Military and government targets

The cyber espionage campaign is said to have been active for at least two years, with the Desert Falcons beginning to develop and build their operation in 2011. Their main campaign and real infection began in 2013 and the peak of their activity was registered at the beginning of 2015, according to the researchers.

The list of targeted victims include Military and Government organisations – particularly employees responsible for countering money laundering as well as health and the economy; leading media outlets; research and education institutions; energy and utilities providers; activists and political leaders; physical security companies; and other targets in possession of important geopolitical information.

falconThe vast majority of the group’s targets are based in Egypt, Palestine, Israel and Jordan. Apart from the Middle East countries focused on as initial targets, the Desert Falcons are also hunting out of the territory. In total, they have been able to attack more than 3,000 victims in upwards of 50 countries – including France, the US and Russia – stealing more than one million files.

The attackers utilise proprietary malicious tools for attacks on Windows PCs and Android-based devices, and the researchers at Kaspersky Lab claim to have multiple reasons to believe that the attackers behind the Desert Falcons are native Arabic speakers.

The main method used by the Falcons to deliver the malicious payload is spear phishing via e-mails, social networking posts and chat messages. Phishing messages contained malicious files (or a link to malicious files) masquerading as legitimate documents or applications. Desert Falcons use several techniques to entice victims into running the malicious files. One of the most specific techniques is the so-called right-to-left extension override trick.

This method takes advantage of a special character in Unicode to reverse the order of characters in a file name, hiding the dangerous file extension in the middle of the file name and placing a harmless-looking fake file extension near the end of the file name. Using this technique, malicious files (.exe, .scr) will look like a harmless document or pdf file; and even careful users with good technical knowledge could be tricked into running these files. For example, a file ending with .fdp.scr would appear .rcs.pdf.

After the successful infection of a victim, Desert Falcons would use one of two different Backdoors: the main Desert Falcons’ Trojan or the DHS Backdoor, which both appear to have been developed from scratch and are in continuous development. Kaspersky Lab experts were able to identify a total of more than 100 malware samples used by the group in their attacks.
The malicious tools used have full Backdoor functionality, including the ability to take screenshots, log keystrokes, upload/download files, collect information about all Word and Excel files on a victim’s Hard Disk or connected USB devices, steal passwords stored in the system registry (Internet Explorer and live Messenger) and make audio recordings. Kaspersky Lab experts were also able to find traces of activity of a malware which appears to be an Android backdoor capable of stealing mobile calls and SMS logs.

Using these tools the Desert Falcons launched and managed at least three different malicious campaigns targeting different set of victims in different countries.

Kaspersky Lab researchers estimate that at least 30 people, in three teams, spread across different countries, are operating the Desert Falcons malware campaigns.

Dmitry Bestuzhev, security expert at Kaspersky Lab’s Global Research and Analysis Team, said: “The individuals behind this threat actor are highly determined, active and with good technical, political and cultural insight. Using only phishing emails, social engineering and homemade tools and backdoors, the Desert Falcons were able to infect hundreds of sensitive and important victims in the Middle East region through their computer systems or mobile devices, and exfiltrate sensitive data. We expect this operation to carry on developing more Trojans and using more advanced techniques. With enough funding, they might be able to acquire or develop exploits that would increase the efficiency of their attacks.”

How much do you know about hackers and viruses? Take our quiz!