Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [1]

ID: G0038
Version: 1.0

Techniques Used

EnterpriseT1003Credential DumpingStealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook.[1]
EnterpriseT1005Data from Local SystemStealth Falcon malware gathers data from the local victim system.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelAfter data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.[1]
EnterpriseT1086PowerShellStealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[1]
EnterpriseT1057Process DiscoveryStealth Falcon malware gathers a list of running processes.[1]
EnterpriseT1012Query RegistryStealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.[1]
EnterpriseT1053Scheduled TaskStealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.[1]
EnterpriseT1064ScriptingStealth Falcon malware uses PowerShell and WMI to script data collection and command execution on the victim.[1]
EnterpriseT1071Standard Application Layer ProtocolStealth Falcon malware communicates with its C2 server via HTTPS.[1]
EnterpriseT1032Standard Cryptographic ProtocolStealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.[1]
EnterpriseT1082System Information DiscoveryStealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.[1]
EnterpriseT1016System Network Configuration DiscoveryStealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.[1]
EnterpriseT1033System Owner/User DiscoveryStealth Falcon malware gathers the registered user and primary owner name via WMI.[1]
EnterpriseT1047Windows Management InstrumentationStealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).[1]