Stealth Soldier Malware

\

The cybersecurity community has recently discovered a newly identified custom backdoor called the Stealth Soldier, which has been utilized in a series of sophisticated and specifically targeted espionage campaigns in North Africa.

The Stealth Soldier is an undocumented backdoor malware that exhibits a range of surveillance capabilities, aimed at gathering sensitive information from compromised systems. It carries out various surveillance functions, such as extracting files from the infected device, recording activities on the screen and microphone, logging keystrokes, and stealing browsing-related data.

One notable aspect of this attack operation is the use of Command-and-Control (C&C) servers that imitate websites associated with the Libyan Ministry of Foreign Affairs. By mimicking these legitimate sites, the attackers create a deceptive environment that aids in the execution of their malicious activities. The initial traces of this Stealth Soldier campaign can be traced back to October 2022, indicating that the attackers have been actively operating for a considerable period.

The Stealth Soldier Malware Operators Use Social Engineering Tactics

The attack campaign initiates with potential targets being tricked into downloading malicious downloader binaries through social engineering tactics. These deceptive binaries serve as a means to deliver the Stealth Soldier malware, while simultaneously displaying a seemingly harmless decoy PDF file to distract the victims.

Once the Stealth Soldier malware is successfully deployed, its custom modular implant becomes active. This implant, believed to be used sparingly to avoid detection, equips the malware with a range of surveillance capabilities. It gathers directory listings and browser credentials, logs keystrokes, records audio from the device's microphone, captures screenshots, uploads files and executes PowerShell commands.

The malware employs different types of commands. Some commands are plugins that are downloaded from the Command-and-Control (C&C) server, while others are modules embedded within the malware itself. This modular approach allows for flexibility and adaptability in the malware's functionality. It also indicates that the operators actively maintain and update the malware, as evidenced by the discovery of three distinct versions of the Stealth Soldier.

Although some of the components of the Stealth Soldier are no longer accessible, analysis has revealed that certain functionalities, such as screen capture and browser credential theft, were inspired by open-source projects available on GitHub. This suggests that the threat actors behind Stealth Soldier drew inspiration from existing tools and incorporated them into their custom malware to enhance its capabilities and effectiveness.

Similarities with Previously Recorded Malware Operations

Furthermore, it has been discovered that the infrastructure utilized by the Stealth Soldier shares similarities with the infrastructure linked to a previous phishing campaign known as Eye on the Nile. The Eye on the Nile campaign targeted Egyptian journalists and human rights activists in 2019.

This development indicates the potential resurgence of the threat actor responsible for both campaigns. It suggests that the group is specifically focused on conducting surveillance activities targeting individuals in Egypt and Libya.

Considering the modular nature of the malware and the utilization of multiple infection stages, it is highly likely that the attackers will continue to adapt their tactics and techniques. This adaptability implies that the threat actor will likely release updated versions of the malware in the near future, potentially introducing new functionalities and evasive maneuvers to further their surveillance objectives.