Espionage Attacks in North Africa Linked to “Stealth Soldier” Backdoor

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

A series of highly-targeted espionage attacks in North Africa has been linked to a previously undisclosed modular backdoor called “Stealth Soldier.”

Targeting primarily individuals in Libya, the new campaign focuses on surveillance operations, according to a new advisory published today by Check Point Research (CPR).

In particular, the Stealth Soldier backdoor features file exfiltration, screen and microphone recording, keystroke logging and stealing browser information capabilities.

The CPR team highlighted one significant finding: the infrastructure associated with Stealth Soldier shows similarities with the infrastructure used by a previous campaign known as “Eye on the Nile.”

The latter attacks targeted Egyptian civilian society in 2019, but the similarities with Stealth Soldier suggest a possible re-appearance of the same threat actor after a long hiatus.

“We’re seeing an increase in the rate of cyber-attacks in North Africa,” commented Sergey Shykevich, threat intelligence group manager at Check Point Software.

“What’s interesting is that this new Stealth Soldier malware signifies a re-emergence of a threat actor from 2019 which operated against Egyptian civilian society.”

CPR discovered different versions of the backdoor, with the latest being Version 9, likely delivered in February 2023. The oldest version found was Version 6, compiled in October 2022. 

The malware’s command and control (C&C) servers appear to be connected to a more extensive set of domains, some of which masquerade as sites belonging to the Libyan Foreign Affairs Ministry, indicating the use of phishing campaigns.

Read more on similar threats: Social Media Phishing – The 2023 Cybersecurity Threat

The security researchers added that these findings underscore the importance of robust cybersecurity measures to counter targeted espionage attacks, particularly in regions where such threats are prevalent.

“The investigation suggests that the attackers behind this campaign are politically motivated and are utilizing the Stealth Soldier malware and a significant network of phishing domains to conduct surveillance and espionage operations against Libyan and Egyptian targets,” reads the advisory.

“Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future.”

The CPR advisory includes Indicators of Compromise (IOCs) that can aid companies in detecting and countering the Stealth Soldier threat.

A separate campaign targeting North Africa (and the Middle East) is Earth Bogle, which relied on Middle Eastern geopolitical-themed lures to distribute NjRAT.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
How technology drives progress – A Q&A with Nobel laureate Michel Mayor
Major phishing-as-a-service platform disrupted – Week in security with Tony Anscombe

Leave a Reply

Your email address will not be published. Required fields are marked *