New custom backdoor dubbed Stealth warrior had been deployed as part of a series of highly targeted espionage attacks in North Africa.
“The Stealth Soldier malware is an undocumented backdoor that mainly operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information,” cybersecurity firm Check Point said in technical reports.
The ongoing operation is characterized by the use of a command-and-control (C&C) server that mimics a website belonging to the Libyan Ministry of Foreign Affairs. The earliest artifacts associated with the campaign date back to October 2022.
The attack begins with a potential target downloading a bogus downloader binary delivered via social engineering attack and acting as a conduit to retrieve Stealth Soldier, while displaying an empty decoy PDF file.
A custom modular implant, believed to be used sparingly, enables surveillance capabilities by gathering directory listings and browser credentials, logging keystrokes, recording microphone audio, taking screenshots, uploading files, and executing PowerShell commands.
“The malware uses different kinds of commands: some plugins downloaded from C&C and some modules inside the malware,” Check Point said, adding the discovery of three versions of Stealth Soldier indicated it was being actively maintained by its operators.
Some components are no longer available for retrieval, but the screenshot and browser credential stealer plugin is said to be inspired by an open source project available on GitHub.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
What’s more, the Stealth Soldier’s infrastructure exhibit overlaps with infrastructure related to another dubbed phishing campaign Eyes on the Niletargeting Egyptian journalists and human rights activists in 2019.
The development marked “the first possible re-emergence of this threat actor” since then, indicating that the group is geared to conduct surveillance of Egyptian and Libyan targets.
“Given the modularity of the malware and the use of multiple infection stages, it is likely that attackers will continue to develop their tactics and techniques and deploy new versions of this malware in the near future,” Check Point said.