Introduction
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. Citizen Lab Stealth Falcon May 2016
Activities and Tactics
Targeted Sectors: Activists, Dissidents, Journalist, Civil society
Country of Origin: π³οΈ United Arab Emirates
Risk Level: High
First Seen: 2016
Last Activity: 2016
Incident Type: Espionage
Suspected Victims: United Arab Emirates, United Kingdom
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1555.004 Windows Credential Manager
- T1059 Command and Scripting Interpreter
- T1555.003 Credentials from Web Browsers
- T1555 Credentials from Password Stores
- T1057 Process Discovery
- T1016 System Network Configuration Discovery
- T1573.001 Symmetric Cryptography
- T1012 Query Registry
- T1071.001 Web Protocols
- T1033 System Owner/User Discovery
- T1047 Windows Management Instrumentation
- T1005 Data from Local System
- T1041 Exfiltration Over C2 Channel
- T1059.001 PowerShell
- T1053.005 Scheduled Task
- T1082 System Information Discovery
ATT&CK technique IDs (denormalized)
- T1005
- T1012
- T1016
- T1033
- T1041
- T1047
- T1053.005
- T1057
- T1059
- T1059.001
- T1071.001
- T1082
- T1555
- T1555.003
- T1555.004
- T1573.001
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- MS16-120 / CVE-2016-3393 0day exploits:
- 0day CVE-2018-8453:
- PowerShell backdoor:
- CVE-2018-8611:
Attribution and Evidence
Country of Origin: United Arab Emirates Additional attribution information pending cataloguing.
References
[1] mitre-attack [3] Citizen Lab Stealth Falcon May 2016 Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Donβt) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.