Check Point Research has discovered a sequence of cyberespionage attacks using a previously undisclosed backdoor named Stealth Soldier targeting Libyan organizations. This advanced malicious software is a customized modular backdoor that possesses surveillance capabilities.
Libyan organizations as the target and the malware infrastructure indicate the potential return of a threat actor referred to as "The Eye on the Nile." which was seen in action in 2019.
Diving into details
The Command and Control (C&C) network of Stealth Soldier is a component of a broader infrastructure that has been used, at least partially, for spear-phishing attacks targeting government entities.
- The infection commences with the downloader, which initiates the attack chain. While the precise method of delivery used by the downloader remains undisclosed, social engineering is considered a likely possibility.
- The most recent version of the implant was reportedly compiled in February 2023.
- The malware's infection procedure encompasses the retrieval of numerous files from the C&C server, including the loader, watchdog, and payload.
Let’s discuss its versions
Security experts have identified three distinct infection chains involving three different versions of Stealth Soldier malware: 6, 8, and 9.
- Different versions vary by factors such as filenames, mutex names, XOR keys, and directory names.
- Moreover, there is a discrepancy in the values assigned to the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key for persistence:
- "Cache" for Version 6
- "WinUpdate" for Version 8
- "DevUpdate" for Version 9
Nonetheless, the overall flow follows a similar pattern for different versions and exhibits the same underlying logic.
Attribution
- Check Point Research uncovered similarities between the present operation and the previously identified "Eye on the Nile" campaign, which Amnesty International and Check Point Research had associated with government-affiliated entities.
- The presence of overlapping infrastructure implies a potential correlation between these two campaigns, highlighting the tenacity and flexibility of the threat actor responsible for their orchestration.
The bottom line
The recent Stealth Soldier malware campaign directed at Libyan organizations underscores the growing complexity of cyberespionage activities. The utilization of personalized backdoors and advanced surveillance functionalities presents substantial risks to the data security and privacy of the entities being targeted.