A series of highly-targeted espionage attacks in North Africa has been linked to a previously undisclosed modular backdoor called “Stealth Soldier.”
Targeting primarily individuals in Libya, the new campaign focuses on surveillance operations, according to a new advisory published today by Check Point Research (CPR).
In particular, the Stealth Soldier backdoor features file exfiltration, screen and microphone recording, keystroke logging and stealing browser information capabilities.
The CPR team highlighted one significant finding: the infrastructure associated with Stealth Soldier shows similarities with the infrastructure used by a previous campaign known as “Eye on the Nile.”
The latter attacks targeted Egyptian civilian society in 2019, but the similarities with Stealth Soldier suggest a possible re-appearance of the same threat actor after a long hiatus.
“We’re seeing an increase in the rate of cyber-attacks in North Africa,” commented Sergey Shykevich, threat intelligence group manager at Check Point Software.
“What’s interesting is that this new Stealth Soldier malware signifies a re-emergence of a threat actor from 2019 which operated against Egyptian civilian society.”
CPR discovered different versions of the backdoor, with the latest being Version 9, likely delivered in February 2023. The oldest version found was Version 6, compiled in October 2022.
The malware’s command and control (C&C) servers appear to be connected to a more extensive set of domains, some of which masquerade as sites belonging to the Libyan Foreign Affairs Ministry, indicating the use of phishing campaigns.
The security researchers added that these findings underscore the importance of robust cybersecurity measures to counter targeted espionage attacks, particularly in regions where such threats are prevalent.
“The investigation suggests that the attackers behind this campaign are politically motivated and are utilizing the Stealth Soldier malware and a significant network of phishing domains to conduct surveillance and espionage operations against Libyan and Egyptian targets,” reads the advisory.
“Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future.”
The CPR advisory includes Indicators of Compromise (IOCs) that can aid companies in detecting and countering the Stealth Soldier threat.
A separate campaign targeting North Africa (and the Middle East) is Earth Bogle, which relied on Middle Eastern geopolitical-themed lures to distribute NjRAT.