- 130/2023
- High
Stealth Soldier is a newly developed and tailored malware that has been strategically deployed in recent espionage campaigns specifically focused on North Africa.
Stealth Soldier is a customized malware used in targeted attacks, enabling surveillance operations with features such as keystroke logging, screenshot capturing, and microphone recording.
The Tactics and Techniques of Stealth Soldier Malware:
Initial access:
- Security researchers claim that threat actor relies on social engineering techniques to name and deliver the downloader to their victim.
Execution:
- Upon the execution of the downloader, it downloads and opens a decoy empty PDF file, it then downloads the loader and decrypts it with XOR keys into “%APPDATA%/MSDataV5.16945[.]exe”.
Persistence:
- The loader “MSDataV5.16945[.]exe” downloads an additional module named “pwls.dll”, called PowerPlus it executes PowerShell code checks for the presence of TempDataDr\MSCheck.exe, and if it doesn’t exist, the loader downloads and executes it.
- The file MSCheck.exe checks if MSDataV5.16945.exe exists in a directory named TempDataLa. If it doesn’t, then it downloads the file from the C&C and decrypts it.
Command and Control:
- The Loader downloads the file “MV.txt” from the C&C server and checks the version of the Stealth Soldier that is stored in the txt file then creates the final payload “MShc<Version>.txt”.
- Finally, the loader decrypts the payload and runs it as a shellcode from the MZ header with CreatThread API, the shellcode loads the payload and passes the execution to its main logic.
- The payload starts to collect information from the victim machine such as:
▪ Hostname and username to make an identifier for the victim.
▪ Driver list.
▪ All the files inside the path “C:\\Users\\Public\\KLData\\.
All this information was encrypted using XOR and sent to the C&C server with a key string “Windows Cmd”, then the malware sends the string “Request for new tasks” to the C&C server waiting for new commands.
Indicators of Compromise
Mitigations
- Search for existing signs of the indicated IOCs in your environment.
- Block all URL and IP-based IOCs at the organization’s security devices.
- Implement network segmentation, such that all machines on your network are not accessible from every other machine.
- If remote access is required, use a VPN with vendor best practices multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
- Users logged into remote access services should have limited privileges for the rest of the corporate network.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Conduct cybersecurity awareness training for End-users.
- Ensure anti-virus software and associated files are up to date.
- Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
- Backup your data using different backup destinations, including Tape drives.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
- Install updates/patches operating systems, software, and firmware as soon as updates/patches are released.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Disable browser ‘Save Password’ functionality.