Stealth Soldier is a malicious software that carries out surveillance and exfiltration of data. This malware has multiple functionalities for these purposes.
We have observed Stealth Soldier being implemented in espionage attacks targeting Libyan organizations. Evidence links the Command and Control (C&C) network of Stealth Soldier to phishing operations. Additionally, similarities exist between this infrastructure and other active malicious campaigns in North Africa.
Overview of the Stealth Soldier malware
At present, Stealth Soldier actively maintains its malware, with at least nine versions available. The infection chains following infiltration remain largely the same, although the final configuration varies. This suggests that Stealth Soldier’s attacks are highly targeted and adaptable.
Across the variants of this malware, the infection chain begins by launching a downloader. While a deceptive PDF document is displayed as a diversion, a loader component is downloaded in the background.
The loader introduces the “PowerPlus” module and executes the final payload. PowerPlus is designed to execute PowerShell commands and ensure the persistence of the “Watchdog” module. Watchdog performs periodic checks for updated versions of the loader.
The key difference between Stealth Soldier’s variants lies in the configuration of the final payload, including its modules and plug-ins. The goal of the payload is to steal victims’ data.
The latest variant initiates its operations by collecting device/system data, such as hostname, username, drive names and types (e.g., fixed, removable), free disk space, and more. Stealth Soldier has the ability to download and upload files, enabling content exfiltration and infiltration of additional malicious components.
The software can also gather directory information, including filenames, types, formats, activity dates, sizes, permissions, and other file-related data. Furthermore, Stealth Soldier can access the device’s microphone to record audio, take screenshots or record the screen, and even perform keylogging to record victim’s keystrokes.
The newest variant of Stealth Soldier targets browser data, a functionality not found in previous versions. The information of interest may include browsing activity, Internet cookies, account log-in credentials, personally identifiable details, credit card numbers, and more.
It is important to note that malware developers continually improve their creations, and given Stealth Soldier’s active maintenance and customizable nature, new iterations are likely to introduce additional or different features.
To summarize, the presence of software like Stealth Soldier on devices can lead to multiple system infections, severe privacy issues, financial losses, and identity theft. Espionage-oriented malware can cause significant damage when used against highly sensitive entities.
How did Stealth Soldier infiltrate my computer?
Due to its connections to a phishing infrastructure, it is not unlikely that Stealth Soldier proliferates through spam mail. Deceptive emails and messages often contain infectious files as attachments or download links.
These files can be in various formats, such as documents (PDF, Microsoft Office, Microsoft OneNote, etc.), archives (ZIP, RAR, etc.), executables (.exe, .run, etc.), JavaScript, and more. Opening or executing a malicious file triggers the infection chain.
Some malicious programs can even self-spread through local networks and removable storage devices, such as external hard drives and USB flash drives.
How to avoid malware installation?
Exercising caution with incoming emails and messages is crucial. We strongly recommend against opening attachments or clicking on links in suspicious or irrelevant mail, as they can contain malware. Similarly, it is essential to be vigilant while browsing, as fake and malicious online content often appears genuine and harmless.
Furthermore, all downloads should be done from official and verified channels. It is advisable to activate and update programs using legitimate functions and tools, as illegal activation tools and third-party updaters can carry malware.
| Name | Stealth Soldier |
| Detection | Trojan:Win32/Casdet!rfn |
| Damage | Exploits your hardware to mine cryptocurrencies without your permission. |
Leave a Comment