A recent espionage campaign in North Africa has raised concerns as a new custom backdoor called “Stealth Soldier” has been deployed. The campaign involves highly-targeted attacks and is characterized by the use of command-and-control (C&C) servers that mimic websites belonging to the Libyan Ministry of Foreign Affairs. According to a technical report by cybersecurity company, the earliest artifacts associated with the campaign date back to October 2022.
The Stealth Soldier malware is described as an undocumented backdoor that primarily focuses on surveillance functions. It is capable of performing various malicious activities, including file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information. Researchers warn that the malware is modular in nature, indicating that it is designed for flexibility and can potentially evolve with new capabilities in the future. The researchers have discovered three versions of the Stealth Soldier backdoor, suggesting active maintenance by the threat actors.
The attack starts with potential targets downloading fake downloader binaries through social engineering techniques. These binaries serve as a conduit for retrieving the Stealth Soldier backdoor onto the victim’s system. Simultaneously, a decoy empty PDF file is displayed to deceive the user. Once installed, the malware enables the attackers to gather directory listings, capture keystrokes, take screenshots, upload files, and execute PowerShell commands. Researchers note that some components of the malware, such as the screen capture and browser credential stealer plugins, appear to have been inspired by open-source projects available on GitHub.
Interestingly, there are overlaps between the infrastructure used in the Stealth Soldier campaign and another phishing campaign known as “Eye on the Nile.” Eye on the Nile targeted Egyptian journalists and human rights activists in 2019. This connection suggests a potential re-emergence of the same threat actor, indicating a continued focus on surveillance against Egyptian and Libyan targets.
It was predicted that the attackers behind Stealth Soldier are likely to evolve their tactics and techniques, deploying new versions of the malware in the near future. Given the sophistication and modularity of the malware, it is crucial for organizations and individuals in the affected regions to remain vigilant, apply security patches, and follow best practices to mitigate the risk of falling victim to these targeted attacks.