Check Point Research, a leading cyber threat intelligence service, has discovered a series of sophisticated cyberattacks targeting individuals in Libya. The attacks involve the use of a surveillance-focused malware called Stealth Soldier. The malware is designed to carry out various surveillance activities, including capturing files, recording screens and microphones, logging keystrokes, and stealing browser data. Researchers have identified an undocumented, custom modular backdoor in the malware, indicating that the attackers continuously update their tools. The most recent version of the malware is believed to have been distributed in February, while the oldest version was compiled in October of the previous year.
The researchers suspect that the command-and-control (C2) network associated with the malware is part of a larger infrastructure used for spear-phishing campaigns against government entities. The malware's C2 servers appear to be connected to a set of domains, some of which impersonate the Libyan Foreign Affairs Ministry's websites. It is suggested that phishing messages may be the primary method used to deliver the malware, although the exact delivery mechanism remains unknown.
Interestingly, the infrastructure linked to the Stealth Soldier campaign shows similarities to the one used in the "Eye on the Nile" cyber campaign, which targeted Egyptian entities in 2019. This overlap raises the possibility of the reappearance of the same threat actor. However, no evidence of Stealth Soldier attacks on Egyptian users has been detected so far. Check Point researchers have identified version 8 of the Stealth Soldier C2 using multiple Eye on the Nile domains, suggesting a potential connection between the two campaigns.
Although Libya is not frequently targeted by advanced persistent threats, this investigation highlights politically motivated cyberattacks utilizing the Stealth Soldier malware and an extensive network of phishing domains to conduct surveillance and espionage operations against Libyan targets. The researchers expect the attackers to continue refining their tactics and introducing new versions of the malware in the near future due to its modular nature and multi-stage infection process.