New Deadglyph backdoor detailed

New cyberespionage attacks have been launched by the Stealth Falcon threat operation, also known as FruityArmor, using the novel sophisticated Deadglyph malware, The Hacker News reports. In an intrusion against a Middle East-based government organization, attackers were found to have leveraged a shellcode loader that would trigger the shellcode and prompt the delivery of Deadglyph's x64 module dubbed "Executor," which then loads the .NET component dubbed "Orchestrator" that waits for commands from its Windows Background Intelligent Transfer Service command-and-control server, according to an ESET report. Aside from using different programming languages likely to evade detection, Deadglyph was discovered to receive commands under three categories, with Executor tasks enabling additional module execution, Orchestrator tasks allowing Network and Timer module management, and Upload tasks permitting command and error output uploads. "Deadglyph boasts a range of counter-detection mechanisms, including continuous monitoring of system processes and the implementation of randomized network patterns. Furthermore, the backdoor is capable of uninstalling itself to minimize the likelihood of its detection in certain cases," said ESET.