Stealth Soldier espionage malware strikes in North Africa

A new custom backdoor, called the Stealth Soldier, has been used as part of a set of highly targeted espionage attacks in North Africa. Check Point, a cybersecurity firm, stated in a technical report that the Stealth Soldier malware is an undocumented backdoor that mainly operates on surveillance functions, such as file extraction, screen and microphone recording, logging of keystrokes and the theft of information from the browser.

The ongoing operation features the use of command and control (C&C) servers that simulate sites belonging to Libya's Ministry of Foreign Affairs. Artifacts associated with the campaign date back to at least October 2022. The attacks begin by downloading fake binary downloads that are delivered through social engineering attacks and act as a driver for Stealth Soldier recovery, while simultaneously displaying a fake blank PDF file.

The custom modular plant, which is assumed to be used sparingly, enables surveillance capabilities by collecting directory listings and browser credentials, logging keystrokes, logging microphone audio, taking screenshots, uploading files, and executing PowerShell commands. “The malware uses different types of commands: some are plugins that are downloaded from the C&C and some are modules within the malware,” Check Point said, adding that the discovery of three versions of Stealth Soldier indicates that it is being actively maintained by operators.

Some of the components are no longer available for retrieval, but the screen capture and browser credential theft plugins were allegedly inspired by open source projects available on GitHub. Furthermore, the Stealth Soldier infrastructure has overlaps with another phishing campaign called Eye on the Nile, which targeted Egyptian journalists and human rights activists in 2019.

The fact represents the "first possible reappearance of this threat actor" since that period, indicating that the group is oriented towards the surveillance of Libyan and Egyptian targets. "Given the malware's forms and use of different stages of infection, it is likely that attackers will continue to evolve their tactics and techniques and distribute new versions of this malware in the foreseeable future," Check Point said.

Highly targeted espionage attacks using a custom backdoor

A new custom backdoor called the Stealth Soldier has been narrowly employed in a highly targeted espionage campaign in North Africa, according to Check Point. The malware uses surveillance capabilities such as audio and video logging, keystroke logging, browser information gathering, and file exfiltration. The attacks start with the download of fake binary downloads delivered through social engineering attacks. The custom modular facility is used sparingly and allows you to capture browser credentials, execute PowerShell commands, upload files, and take screenshots. Stealth Soldier's infrastructure has overlaps with a previous phishing campaign that targeted Egyptian journalists and human rights activists in 2019, indicating that the group is geared towards surveillance of Libyan and Egyptian targets.

The malware uses different versions and is constantly evolving

Stealth Soldier is a custom backdoor that is actively maintained by the operators and is constantly evolving. The malware uses different types of commands, some of which are plugins that are downloaded from the C&C, while others are modules within the malware itself. Check Point discovered three versions of Stealth Soldier and speculated that attackers will continue to evolve their techniques and tactics, distributing new versions of this malware in the near future.

The espionage campaign is characterized by the use of command and control (C&C) servers that simulate sites belonging to the Ministry of Foreign Affairs of Libya. The attacks begin by downloading fake binary downloads delivered through social engineering attacks and act as a driver for Stealth Soldier recovery, simultaneously displaying a fake blank PDF file. The use of different stages of infection demonstrates the adaptability of attackers and indicates that the targets are highly targeted.

Stealth Soldier malware poses a threat to cyber security

Stealth Soldier poses a cybersecurity threat as it is being used as part of a highly targeted espionage campaign in North Africa. The malware uses advanced surveillance technologies to collect sensitive information such as screen and microphone recording, keystroke logging, and stealing information from the browser, putting users' privacy and security at risk. The use of command-and-control servers simulating websites belonging to Libya's Ministry of Foreign Affairs demonstrates the attackers' ability to mask their actions and make identification difficult. Users are encouraged to take additional security measures to protect their devices and personal data.