Kaspersky Lab's Global Research and Analysis Team uncovers the action of the Desert team Falcons, a digital espionage agency targeting many high-profile organizations and individuals from Middle Eastern countries. 
Kaspersky Lab experts see this organization as the first known Arab group of "digital mercenaries" to develop and carry out complete digital espionage operations.
- The campaign has been active for at least two years. The team Desert Falcons has begun to develop and consolidate its operation within 2011. However, the beginning of the group's core action and infections through it malwareis placed in 2013. The peak of their activity is recorded at the beginning of 2015.
- The overwhelming majority of targets are in Egypt, Palestine, Israel and Jordan.
- In addition to the Middle East countries, which were the original targets, the group Desert Falconsis also active outside of it regionof this. In total, its members have managed to attack more than 3.000 victims, in more than 50 countries worldwide, having intercepted more than 1 million files.
- Attackers use malicious tools that they have developed themselves to launch attacks on computers Windows and devices Android.
- Her experts Kaspersky Lab have many reasons to believe that the mother tongue of the group members Desert Falconsis Arabic.
The targeted list of victims includes military and governmental organizations - and in particular, officials in charge of dealing with money laundering. The campaign also turned against executives from the health and economy sectors, top media, research and education institutions, energy providers and utilities, activists and political leaders, personal security companies, and other targets in their possession geopolitical information.
Overall, Kaspersky Lab experts have been able to detect signs of attacks over 3.000essions, to more than 50 countries, finding it intercepting more than one million files. Although the organization of the attack appears to be operating in countries such as Egypt, Palestine, Israel and Jordan, many victims have also been found in Qatar, Saudi Arabia, the United Arab Emirates, Algeria, Lebanon, Norway, Turkey, Sweden, France, the United States, Russia and other countries.
Transport, "Infection", Espionage
The main method used by the Desert Falcons group to transfer malware was email spearphishing, social media messaging, and instant messaging. Phishing has contained malicious files (or links leading to malicious files) that legitimately imitate documents or applications. The Desert Falcons team uses various techniques to entice their victims and force them to run malicious files. One of the most typical techniques the team uses is the so-called "Right-to-LeftOverride".
This technique exploits a special character in Unicode, to reverse the order of characters in a file name, hiding a dangerous extension in the middle of the name and placing a fake file extension, which looks harmless, near the end of the file name. Using this technique, malicious files (.exe, .scr) look like a harmless document or PDF file, and even careful users with good technical knowledge can be tricked into running these files. For example, a file with ".Fdp.scr"would be presented as".Rcs.pdf".
After the victim's successful infection, Desert Falcons members use one of two different BackDocs, either their basic Trojan or DHSBackdoor, which seem to have been developed from scratch and are in constant growth. Kaspersky Lab specialists were able to identify more than 100 malware samples used by this group for attacks.
The malicious tools used have full backdoor functionality. So they can take screenshots, intercept keystrokes, do uploador download files, collect information about all Word and Excel files on a victim's hard drive or connected USB devices, intercept passwords stored in the system registry (Internet Explorer and Live Messenger), and make audio recordings. Kaspersky Lab experts also managed to detect traces of the activity of a malware, which appears to be a backdoor for Android, with the ability to intercept calls and SMS logs.
Using these tools, members of the Desert Falcons team created and managed at least three different malicious campaigns targeting different victims in different countries.
A "flock" in the secret hunt
Kaspersky Lab researchers estimate that at least 30 individuals, in three groups, shared in different countries, are running the Desert Falcons malware campaigns.
"The people behind this organization are extremely determined, active, with good technical knowledge and good information on political and cultural issues. Using only phishing email, social engineering techniques, tools and backdoors developed by themselves, the members of the team Desert Falcons have been able to "pollute" hundreds of major victims in the Middle East through their computers or their handheld devices, as well as decode sensitive data. We expect this campaign to continue to develop more Trojans and to use even more sophisticated techniques. With sufficient funding, they could acquire or develop exploits, which could increase the effectiveness of their attacks,said Dmitry Bestuzhev, a security expert and member of Kaspersky Lab's Worldwide Research and Analysis Group.
Kaspersky Lab products detect and successfully block the malware used by the Desert Falcons team.
More information about the campaign is available at Securelist.com.
