The Stealth Soldier campaign marks the possible reappearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.
Check Point Research has recently uncovered a series of highly-targeted espionage attacks in Libya, shedding light on a previously undisclosed backdoor called Stealth Soldier. This sophisticated malware operates as a custom modular backdoor with surveillance functionalities, including file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information.
The campaign, which appears to be targeting Libyan organizations, marks the possible re-appearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.
Stealth Soldier, an implant used in limited and targeted attacks, has shown active maintenance with the latest version, Version 9, compiled in February 2023. Check Point Research’s investigation began with the discovery of multiple files submitted to VirusTotal between November 2022 and January 2023 from Libya.
These files, named in Arabic, such as “هام وعاجل.exe” (Important and Urgent.exe) and “برقية 401.exe” (Telegram 401.exe), turned out to be downloaders for different versions of the Stealth Soldier malware.
The execution flow of Stealth Soldier starts with the downloader, which triggers the infection chain. Although the delivery mechanism of the downloader remains unknown, social engineering is suspected.
The malware’s infection process involves downloading multiple files from the Command and Control (C&C) server, including the loader, watchdog, and payload. These components work together to establish persistence and execute the surveillance functionalities.
First, the loader downloads an internal module called PowerPlus to enable PowerShell commands and create persistence. Then, the watchdog periodically checks for updated versions of the loader and runs it accordingly. Finally, the payload collects data, receives commands from the C&C server, and executes various modules based on the attacker’s instructions.
The victim’s information collected by the Stealth Soldier’s payload includes the hostname, username, drive list, and files within specific directories. The malware supports various commands, including directory listing, file upload, screenshot capture, microphone recording, keylogging, browser credential extraction, and PowerShell command execution.
Check Point Research identified three different versions of Stealth Soldier (Versions 6, 8, and 9), each with slight variations in functionality, filenames, and persistence mechanisms.
Additionally, the investigation uncovered a set of phishing domains linked to the campaign, with some masquerading as websites belonging to the Libyan Ministry of Foreign Affairs. The phishing domains, hosted on IP addresses associated with previous malicious activities, indicated a likely intention to conduct phishing campaigns.
Check Point Research also discovered similarities between this recent operation and the “Eye on the Nile” campaign, previously linked to government-backed bodies by Amnesty International and Check Point Research. The overlapping infrastructure suggests a possible connection between the two campaigns, indicating the persistence and adaptability of the threat actor behind them.
The Stealth Soldier malware campaign targeting Libyan organizations highlights the increasing sophistication of cyber espionage operations. The use of custom backdoors and advanced surveillance capabilities poses significant threats to targeted entities’ data security and privacy.
Detecting and mitigating advanced threats like Stealth Soldier requires a combination of proactive threat intelligence, user awareness, and effective security solutions to ensure a resilient defence against evolving cyber threats.