A wave of advanced persistent threat (APT) attacks aimed at Libyans has been detected, using malware that conducts surveillance functions.
Spotted by Check Point Research, the Stealth Soldier malware primarily conducts surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information. This malware also adds an undocumented, custom modular backdoor, with the researchers claiming the most recent version was likely to have been delivered in February.
Check Point researchers said the oldest version was compiled last October, and believe the command-and-control (C2) network is part of a larger set of infrastructure, used for spear-phishing campaigns against government entities.
There are indications that the malware C2 servers are related to a larger set of domains, the company noted, and these servers are likely used for phishing campaigns. Some of the domains also masquerade as sites belonging to the Libyan Foreign Affairs Ministry.
Sergey Shykevich, threat intelligence group manager at Check Point, says the delivery mechanism of the downloader is currently unknown, but phishing messages were the most likely tactic being used. Looking at the infrastructure, he says that the researchers “saw emphasis on targeting the Libyan government.”
Links to the Past?
The Stealth Soldier infrastructure has some overlaps with infrastructure used in the “Eye on the Nile” campaign, which operated against Egyptian targets in 2019. Researchers believe this is the first possible reappearance of this threat actor since then. Shykevich confirms there has been no detection of attacks on Egyptian users using the Stealth Soldier malware.
However, version 8 of the C2 in the Stealth Solder malware was also resolved by multiple Eye on the Nile domains, according to Check Point researchers, while several infrastructure overlaps with known Eye on the Nile domains were also spotted.
Asked if he believes that the Eye on the Nile and Stealth Soldier malware types are being used by the same attackers or if it’s just the same potentially rented C2s and malware used, Shykevich says the evidence only “gives us medium confidence of the link between the current campaign to Eye on the Nile: Based just on the overlaps we saw, it is difficult to claim with 100% confidence that it is the same group, but there is a good chance it is.”
The researchers acknowledged that Libya is not often the focus of APT reports, but the investigation suggests that the attackers behind this campaign are politically motivated and are utilizing the Stealth Soldier malware and the significant network of phishing domains to conduct surveillance and espionage operations against Libyan targets.
“Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future,” the researchers said in the advisory.