called a new custom backdoor stealth soldier It was deployed as part of a series of highly targeted spy attacks in North Africa.
“The Stealth Soldier malware is an undocumented backdoor that primarily performs surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and browser information theft,” said cybersecurity firm Check. The point was mentioned in the technical report.
A feature of the ongoing operation is the use of command and control (C&C) servers mimicking sites belonging to the Libyan Ministry of Foreign Affairs. The oldest artifact associated with this campaign dates to his October 2022.
The attack begins with a potential target downloading a fake downloader binary delivered through a social engineering attack that serves as a conduit to acquire the stealth soldier while simultaneously displaying a decoy empty PDF file. .
This custom modular implant is believed to be of little use and is capable of collecting directory listings and browser credentials, logging keystrokes, recording microphone audio, taking screenshots, uploading files, and executing PowerShell commands. Enable the monitoring feature by running:
“This malware uses different types of commands, some of which are plugins downloaded from the C&C and some of which are modules within the malware,” said Check Point, adding three versions of the Stealth Soldier. ‘s findings show that it is actively maintained by its operators, he added.
Some components are no longer available, but the screen capture and browser credential stealer plugins are said to be inspired by open source projects available on GitHub.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
Additionally, the Stealth Soldier’s infrastructure exhibit overlaps with infrastructure associated with another phishing campaign called “Eye of the Nile” that targeted Egyptian journalists and human rights activists in 2019.
The development marks “the first possible re-emergence of this threat actor” since then, suggesting that the group is gearing up to monitor targets in Egypt and Libya.
“Given the malware’s modularity and multiple stages of infection, attackers will likely continue to evolve their tactics and techniques and introduce new versions of this malware in the near future,” Check Point said.
