Cyberespionage campaign in Libya employs new customized modular backdoor “Stealth Soldier”

Recently, experts from Check Point’s research team discovered a series of highly targeted espionage attacks in the Libyan region. These espionage attacks make use of a new custom modular backdoor called Stealth Soldier.

Stealth Soldier is an undocumented backdoor that mainly performs surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and browser information theft, according to Check Point report.

The most recent version of the malware (version 9) was probably used in February 2023, while the oldest version discovered by the researchers (version 6) dates to October 2022.

Attacks begin when potential targets download fake binary files that are delivered via social engineering attacks. The intermediate payloads act as a conduit to retrieve Stealth Soldier, while displaying an empty PDF file as a decoy. According to experts, the infection chain is complex and includes six files downloaded from the C&C server.

Below are the main files used in the infection chain:

• Loader (MSDataV5.16945.exe) – Downloads PowerPlus, an internal module for executing PowerShell commands, and uses it to create persistence for the watchdog. Runs the final Stealth Soldier payload.
• Watchdog (MSCheck.exe) – Periodically checks for an updated version of the loader and runs it. Persistent using Schedule Task and the Registry Run key.
• Payload (MShc.txt) – Collects data, receives commands from the C&C server and executes modules.

The downloader obtains and opens an empty decoy PDF file from the command and control (C2) server and then downloads a filecloud loader. The loader downloads a .NET module called PowerPlus and executes PowerShell code. PowerPlus is used to execute two commands, one to maintain persistence and the other to query details about the task in a file called DRSch.

The process involves the use of a watchdog as an update mechanism. In the last stage of the infection chain, the malware decrypts the payload before executing it as shellcode, which loads the payload and passes execution to its main logic.

The malware supports different types of commands, some of them in the form of plugins that are downloaded from C2. Other commands are modules within the malware.

“The research suggests that the attackers behind this campaign are politically motivated and are using Stealth Soldier malware and a significant network of phishing domains to conduct surveillance and espionage operations against Libyan and Egyptian targets.” Check Point concludes. “Given the modularity of the malware and the use of multiple stages of infection, it is likely that attackers will continue to evolve their tactics and techniques and deploy new versions of this malware in the near future. Finally, our analysis revealed a connection to the previously exposed Eye on the Nile campaign.”

Eye on the Nile

Researchers noted that Stealth Soldier’s infrastructure has some overlaps with the infrastructure of The Eye on the Nile, a campaign targeting journalists and human rights activists in Egypt in 2019. Experts suspect the recent attack could be linked to the same threat actor.

Amnesty International’s 2019 report describes how Egyptian civil organizations and individuals were targeted by sophisticated phishing attacks using third-party apps, such as Google and Yahoo, to steal sensitive information and monitor their activities. A follow-up report Eye on the Nile uncovered the background of this operation, traced its origin, and connected it to an Android backdoor focused on surveillance.

Throughout the analysis of the Stealth Soldier campaigns, we were able to identify several infrastructure overlaps with known Eye on the Nile domains. This is in addition to the narrow regional targeting and similar phishing domain naming patterns.

IOC’s