Espionage Attacks Target North Africa with Stealthy Backdoor

Reading Time: ( Word Count: )

June 9, 2023
Nextdoorsec-course

A recently emerged custom backdoor called Stealth Soldier has been deployed as part of a series of highly targeted spying attacks in North Africa.

According to a technical report by cybersecurity company Check Point, the Stealth Soldier malware is an undocumented backdoor primarily designed for surveillance. Its functionalities include exfiltrating files, recording screens and microphone input, logging keystrokes, and stealing browser information.

The ongoing operation uses command-and-control (C&C) servers that mimic websites associated with the Libyan Ministry of Foreign Affairs. The earliest traces of this campaign can be traced back to October 2022.

The attacks begin with potential targets downloading fake downloader binaries, delivered through social engineering attacks, and act as a channel for obtaining the Stealth Soldier backdoor. At the same time, a decoy empty PDF file is displayed to deceive the victims.

Also, Read: “Cisco and VMware Release Critical Security Updates”

Espionage Attacks Target North Africa with Stealthy Backdoor

The custom modular implant, believed to be used sparingly, enables surveillance capabilities by collecting directory listings and browser credentials, recording keystrokes and microphone audio, capturing screenshots, uploading files, and executing PowerShell commands. Check Point stated, “The malware utilizes various types of commands, some of which are plugins downloaded from the C&C server, while others are modules within the malware itself.” The existence of three versions of Stealth Soldier indicates that the operators are actively maintaining it.

Although some components are no longer accessible, it is reported that the screen capture and browser credential-stealing plugins have been influenced by open-source projects available on GitHub. Additionally, the infrastructure used by Stealth Soldier overlaps with the infrastructure linked to a previous phishing campaign called Eye on the Nile, which targeted Egyptian journalists and human rights activists in 2019.

This development indicates the potential reappearance of the threat actor after the aforementioned campaign, suggesting that the group is focused on surveillance activities targeting Egyptian and Libyan entities.

Given the modular nature of the malware and the utilization of multiple infection stages, the attackers will continue to evolve their tactics and techniques, deploying new versions of the malware in the near future, as stated by Check Point.

Lucas Maes

Lucas Maes

Author

Cybersecurity guru, encryption wizard, safeguarding data with 10+ yrs of IT defense expertise. Speaker & author on digital protection.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *