A group of hackers has been found targeting Libyan citizens using advanced persistent threat (APT) attacks that use malware to conduct surveillance functions. Check Point Research detected the Stealth Soldier malware, which not only exfiltrates files but also records screens and microphones, logs keystrokes and steals browsing information. The malware was designed to operate undetected, adding an undocumented, custom modular backdoor, with the most recent version likely delivered in February. The above explains how the researchers discovered that the Stealth Soldier infrastructure shared overlaps with that used in the Eye on the Nile campaign of 2019, which targeted Egyptians. Although this latest infection of Stealth Soldier was focused on Libya, there are no signs of any attacks in Egypt using this malware. Researchers admitted that Libya has not generally been the focus of APT attacks and suggest that politically motivated hackers were likely to be behind the latest campaign. Furthermore, the significant network of phishing domains employed by the malware made surveillance and espionage operations against Libyan targets easier.
Check Point Research admitted that the delivery mechanism for the downloader in this latest campaign was unknown, but phishing messages are thought to be the most likely tactic. The researchers added that there were indications that the malware’s command-and-control (C2) servers were related to a larger set of domains, probably used for phishing campaigns, with some domains masquerading as those belonging to the Libyan Foreign Affairs Ministry. The researchers’ investigation also showed that the oldest version of the malware was compiled last October, but cyber attackers have likely updated its tactics and techniques recently and are likely to continue to do so in the future.
Sergey Shykevich, threat intelligence group manager at Check Point Research, noted that the researchers saw a focus on targeting the Libyan government when scrutinising the malware’s infrastructure. He added that the infrastructure used might be rented, but overlaps suggest a good chance of a link between the current campaign and Eye on the Nile. However, he also added that the data only provides medium confidence of such a link.
There are concerns that, given the modularity of the malware and the use of multiple stages of infection, the attackers are likely to evolve their tactics and techniques and deploy updated versions of this malware in the near future. Therefore, researchers have urged users to stay vigilant, and to avoid opening attachments or clicking on links in unsolicited emails.