A black and white photo of a soldier with a full face covering holding a pistol
Source: Stocktrek Images via Alamy Stock Photo

A wave of advanced persistent threat (APT) attacks aimed at Libyans has been detected, using malware that conducts surveillance functions.

Spotted by Check Point Research, the Stealth Soldier malware primarily conducts surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information. This malware also adds an undocumented, custom modular backdoor, with the researchers claiming the most recent version was likely to have been delivered in February.

Check Point researchers said the oldest version was compiled last October, and believe the command-and-control (C2) network is part of a larger set of infrastructure, used for spear-phishing campaigns against government entities.

There are indications that the malware C2 servers are related to a larger set of domains, the company noted, and these servers are likely used for phishing campaigns. Some of the domains also masquerade as sites belonging to the Libyan Foreign Affairs Ministry.

Sergey Shykevich, threat intelligence group manager at Check Point, says the delivery mechanism of the downloader is currently unknown, but phishing messages were the most likely tactic being used. Looking at the infrastructure, he says that the researchers “saw emphasis on targeting the Libyan government.”

The Stealth Soldier infrastructure has some overlaps with infrastructure used in the "Eye on the Nile" campaign, which operated against Egyptian targets in 2019. Researchers believe this is the first possible reappearance of this threat actor since then. Shykevich confirms there has been no detection of attacks on Egyptian users using the Stealth Soldier malware.

However, version 8 of the C2 in the Stealth Solder malware was also resolved by multiple Eye on the Nile domains, according to Check Point researchers, while several infrastructure overlaps with known Eye on the Nile domains were also spotted.

Asked if he believes that the Eye on the Nile and Stealth Soldier malware types are being used by the same attackers or if it's just the same potentially rented C2s and malware used, Shykevich says the evidence only "gives us medium confidence of the link between the current campaign to Eye on the Nile: Based just on the overlaps we saw, it is difficult to claim with 100% confidence that it is the same group, but there is a good chance it is."

The researchers acknowledged that Libya is not often the focus of APT reports, but the investigation suggests that the attackers behind this campaign are politically motivated and are utilizing the Stealth Soldier malware and the significant network of phishing domains to conduct surveillance and espionage operations against Libyan targets.

"Given the modularity of the malware and the use of multiple stages of infection, it is likely that the attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future," the researchers said in the advisory.

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights