Group: Stealth Falcon

From ATT&CK
Jump to: navigation, search
Stealth Falcon
Group
ID G0038
Aliases Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.1

Techniques Used

  • PowerShell - Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.1
  • System Information Discovery - Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.1
  • Query Registry - Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.1
  • Scheduled Task - Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.1
  • Credential Dumping - Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook.1
  • Scripting - Stealth Falcon malware uses PowerShell and WMI to script data collection and command execution on the victim.1