HQ/EMEAFind out how we can help your business
Recent research uncovered a chain of cyberespionage campaigns that utilise a previously unidentified backdoor dubbed Stealth Soldier. Based on reports, the backdoor has been recently infecting Libya-based organisations. The backdoor developers customised their malicious software to equip it with spyware capabilities.
Researchers claim that these recent incidents are indications of the return of the “The Eye on the Nile” threat actor that was last seen active in 2019.
The Stealth Soldier backdoor operators have briefly used the malicious tool in spear-phishing attacks.
According to investigations, the C2 network of the Stealth Soldier backdoor is a component of an infrastructure that the attackers utilised for spear-phishing attacks that targeted government entities.
The infection process starts with the downloader, which executes the attack chain. However, the researchers could not identify the precise infection method to deliver the downloader, but there is a chance that the actors distribute it through social engineering tactics.
The backdoor’s infection process has resulted in the retrieval of numerous archives from the command-and-control server, like payload, watchdog, and loader.
Cybersecurity experts have also identified three unique infection chains that involve three different versions of Stealth Soldier malware. The versions vary by filenames, XOR keys, directory names, and mutex names.
Moreover, each version has a discrepancy in the values added to the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key for establishing persistence. The value added to version six is Cache, WinUpdate for version eight, and DevUpdate for version nine.
However, the overall flow follows an identical pattern for different versions and portrays the same logic regardless of the version.
A researcher discovered overlaps between the ongoing operation and the previous Eye of the Nile campaign. The new Stealth Soldier backdoor campaign overlaps infrastructure with the last Eye of the Nile campaign, implying a potential relationship between the two attacks. This detail highlights the effort and sophistication of the threat actors organising the operation.
The ongoing malware attacks like the Stealth Soldier backdoor against Libyan entities show the evolving threat of cyberespionage activities. Threat actors using customised backdoors and sophisticated surveillance functionalities substantially threaten every entity’s data security and privacy.
