By Tom Fakterman, Daniel Frank and Jerome Tujague
Executive Summary
This article reviews the recently discovered FalseFont backdoor, which was used by a suspected Iranian-affiliated threat actor that Unit 42 tracks as Curious Serpens. Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor.
Our in-depth technical analysis will help security professionals better understand FalseFont and more effectively defend against this threat. This article focuses on analysis of the newly discovered FalseFont backdoor and its capabilities. Lastly, we’ll discuss ways to detect and prevent this targeted backdoor.
Palo Alto Networks customers are better protected from the threats mentioned in this article in the following ways:
- Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the malware C2 traffic
- Advanced URL Filtering and DNS Security categorize known C2 domains and IPs as malicious.
- Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others
- Cortex XDR and Prisma Cloud Compute combined with the XSIAM platform help detect and prevent the threats mentioned in this article
- The Advanced WildFire machine learning-models and analysis techniques have been reviewed and updated in light of this new malware.
