State-backed Curious Serpens Hackers Evolve with FalseFont Backdoor

A complex cyber-espionage campaign linked to the Iranian threat group Curious Serpens (also known as Peach Sandstorm, among other aliases) underscores the evolving techniques of state-backed hackers. The latest tool in their arsenal is “FalseFont,” a sophisticated backdoor uncovered by security researchers at Unit 42.

Espionage Under False Pretenses

Curious Serpens has a history of targeting aerospace, energy, and other strategically important sectors. Their latest campaign preys on job seekers in the aerospace and defense industries. Victims are lured in with a convincing but malicious job application interface, mimicking that of a legitimate U.S.-based aerospace company. Once applicants enter personal details and upload their “resumes,” the hidden malware, FalseFont, is deployed onto their system.

What is FalseFont? 

Curious Serpens has long been a harbinger of cyber espionage, with a notorious history of targeting the aerospace and energy sectors for espionage. The FalseFont backdoor, revealed in analyses by Unit 42 and Microsoft Threat Intelligence, embodies a cunning approach to breaching security defenses. By masquerading as a legitimate human resources application for job recruitment, FalseFont exploits the aspirations of job seekers in the aerospace and defense industries. This deceptive guise allows the malware to infiltrate systems unnoticed, setting the stage for a series of clandestine operations that can exfiltrate sensitive data and compromise security protocols.

Crafted in ASP .NET Core, FalseFont has a range of capabilities designed to breach, control, and extract information from infected machines. Its functionalities span executing commands, manipulating file systems, capturing screens, and stealing credentials. Particularly alarming is its ability to siphon credentials for aerospace-industry job application platforms, potentially accessing critical data related to national security and proprietary technology.

At the heart of FalseFont’s operation is a dual-component architecture: a GUI designed to mimic an aerospace company’s job application interface and a backdoor component that establishes persistent communication with a command-and-control (C2) server. Through sophisticated encryption and encoding schemes, including AES and Base64, FalseFont adeptly conceals its communication, thwarting efforts to analyze and neutralize its threat.

Upon initialization, FalseFont establishes persistence by creating multiple copies of itself and manipulating registry keys to ensure its execution upon system startup. Its use of ASP.NET Core SignalR for C2 communication allows real-time interaction with infected hosts, a feature uncommon among backdoors, enabling immediate response and command execution by the attackers.

FalseFont Capabilities: Espionage & Disruption

• Stealthy Control: Once installed, FalseFont grants attackers the ability to remotely execute commands, manipulate files across the system, and potentially cause widespread operational disruptions within targeted organizations.
• Multipronged Data Theft: The malware targets login credentials from popular browsers and searches for sensitive data within specialized aerospace job application platforms, aiming to steal valuable intellectual property.
• Screen Surveillance: FalseFont’s ability to capture screenshots provides the attackers with a real-time view of the victim’s activities, further enhancing their espionage.
• Real-time Communication: Using the SignalR framework, FalseFont can receive commands from its controllers in real-time, adding flexibility to the attack and potentially increasing its speed and impact.

The Threat to Aerospace & Defense

This highly targeted campaign is cause for serious concern within the aerospace and defense sectors. Curious Serpens has a history of cyber espionage against these industries, so the theft of sensitive intellectual property or even disruption of operations are significant risks.