A series of highly targeted espionage attacks in North Africa have been linked to a previously undisclosed modular backdoor dubbed the “Stealth Soldier”.
The new campaign primarily targets individuals in Libya and focuses on surveillance activities, according to new recommendations released today by Check Point Research (CPR).
Among other things, the Stealth Soldier backdoor is equipped with file leaking, screen and microphone recording, keystroke logging, and browser information stealing capabilities.
The CPR team highlighted one key finding. That said, the infrastructure associated with the Stealth Soldier shows similarities to the infrastructure used in the previous campaign known as “Eye of the Nile”.
The latter attack targeted Egyptian civil society in 2019, but similarities to the Stealth Soldier suggest that the same threat actor may have resurfaced after a long hiatus.
Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, commented, “The rate of cyberattacks is increasing in North Africa.”
“Interestingly, this new stealth soldier malware marks the re-emergence of 2019 threat actors operating against Egyptian civil society.”
CPR found various versions of the backdoor. The latest is version 9, probably delivered in February 2023. The oldest version found was version 6, compiled in October 2022.
The malware’s command and control (C&C) servers appear to be connected to a wider range of domains, some of which masquerade as sites belonging to the Libyan Ministry of Foreign Affairs, indicating the use of phishing campaigns.
For more information on similar threats, see Social Media Phishing – Cybersecurity Threats of 2023.
Security researchers added that these findings underscore the importance of robust cybersecurity measures to counter targeted espionage attacks, especially in regions where such threats are prevalent. .
“Our research indicates that the actors behind this campaign are politically motivated, using stealth soldier malware and a large network of phishing domains to conduct surveillance and espionage targeting Libya and Egypt. has been suggested,” the recommendation reads.
“Given the malware’s modularity and use of multiple stages of infection, it is likely that attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future.”
The CPR Advisory includes Indicators of Compromise (IOCs) to help businesses detect and counter the Stealth Soldier threat.
Another campaign targeting North Africa (and the Middle East) was Earth Bogle, which relied on Middle Eastern geopolitical themed lures to distribute NjRAT.
