Malicious software has targeted Libyan government entities, as hackers used malware that performs spying functions, according to a report by Check Point Research.
The experts of the “Check Point Research” cybersecurity company detected the malware, which monitors and spies on targets, and withdraws the collected data. The malware is using a new dedicated backdoor dubbed the “invisible soldier.”
Check Point said it has observed a wave of highly-targeted espionage attacks in Libya, which utilize a new custom modular backdoor.
Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information.
The newest version of the backdoor the website found was Version 9, likely delivered in February 2023. The oldest version it found was Version 6, compiled in October 2022.
There are indications that the malware C&C servers are related to a larger set of domains, likely used for phishing campaigns. Some of the domains masquerade as sites belonging to the Libyan Foreign Ministry.
“Our investigation began when we came across multiple files submitted to VirusTotal from Libya, between November 2022 to January 2023,” the report said.
The file names were in Arabic: (Important and Urgent.exe) and (Telegram 401.exe), while the latest uses this name in regards to the Telegraph, and not the Telegram application. Analysis of the files reveals that all of them are downloaders for different versions of the same malware, internally named Stealth Soldier.
The execution flow for all Stealth Soldier versions begins with the execution of the downloader, which triggers the infection chain.