Skip to content

G0038 Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. 1

Item Value
ID G0038
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 23 November 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Stealth Falcon malware communicates with its C2 server via HTTPS.1
enterprise T1059 Command and Scripting Interpreter Stealth Falcon malware uses WMI to script data collection and command execution on the victim.1
enterprise T1059.001 PowerShell Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.1
enterprise T1555 Credentials from Password Stores Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.1
enterprise T1555.003 Credentials from Web Browsers Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.1
enterprise T1555.004 Windows Credential Manager Stealth Falcon malware gathers passwords from the Windows Credential Vault.1
enterprise T1005 Data from Local System Stealth Falcon malware gathers data from the local victim system.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.1
enterprise T1041 Exfiltration Over C2 Channel After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.1
enterprise T1057 Process Discovery Stealth Falcon malware gathers a list of running processes.1
enterprise T1012 Query Registry Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.1
enterprise T1082 System Information Discovery Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.1
enterprise T1016 System Network Configuration Discovery Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.1
enterprise T1033 System Owner/User Discovery Stealth Falcon malware gathers the registered user and primary owner name via WMI.1
enterprise T1047 Windows Management Instrumentation Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).1

References

  1. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.