Desert Falcons

The action group Desert Falcons, a digital espionage network that targeted many organizations and high-profile individuals from the Middle East, was revealed during the Kaspersky Lab Security Analyst Summit in Mexico. Analysts consider this unit as the first known Arab group of "digital mercenaries" who have developed and executed integrated digital espionage operations against companies.

The list of victims includes military and governmental organizations, in particular, officers responsible for tackling money laundering. Also, the attack targeted executives from the fields of health and economy, leading media, research and educational institutions, energy providers and utilities, activists and political leaders, private security companies and other individuals that hold considerable geopolitical information.

The group is active for at least two years. Team Desert Falcons began to develop and consolidate the operation in 2011. However, the start of the key action of the group and infections through malware mounted in 2013. The peak of activity recorded in early 2015.

The vast majority of targets located in Egypt, Palestine, Israel and Jordan.

Apart from the Middle East, which were the original objectives, the team Desert Falcons operates outside this range. Overall, its members have been able to attack more than 3000 victims in more than 50 countries worldwide, having stolen more than one million records.

Attackers use malicious tools they have developed themselves, to launch attacks on Windows computers and Android devices. The Kaspersky Lab specialists have many reasons to believe that the mother tongue of the Desert Falcons is Arabic.

While the attack vector appears to act in countries such as Egypt, Palestine, Israel and Jordan, many victims were also found in Qatar, Saudi Arabia, the United Arab Emirates, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries.

The main method used by the group Desert Falcons for transferring malicious payload was spearphishing via email, messaging and social media messages in chat. The phishing messages contained malicious files (or link leading to malware), which imitated legal documents or applications.

The Desert Falcons team uses various techniques to lure victims and forced them to carry out malicious files. One of the most typical techniques used by the group is the so-called «Right-to-Left Override». This technique takes advantage of a special character in Unicode, to reverse the order of characters in the name of a file, hiding a dangerous extension in the middle of the name and putting a false file extension, which looks harmless, near the end of the file name. Using this technique, malicious files (.exe, .scr) look like an innocuous document or file PDF, and even careful users with good technical knowledge can be dragged and "run" these files. For example, a file with extension ".fdp.scr" will be presented as ".rcs.pdf".

After successful "infection" of the victim, team members Desert Falcons use one of two different backdoors, either their main Trojan or DHS Backdoor, which seems to have been developed from the beginning and is in constant development. The Kaspersky Lab experts managed to identify more than 100 samples of malware used for attacks.

Malicious tools used have fully backdoor functionality. So they can take screenshots, steal keystrokes, make upload or download files to collect information about all files on hard disk or USB connected devices of a victim, stealing passwords stored in the system registry (Internet Explorer and Live Messenger) and make recordings. The Kaspersky Lab experts were also able to detect traces of the activity of a malicious software, which seems to be a backdoor for Android, with call interception capabilities and SMS logs.