North Africa Targeted by Stealth Soldier Backdoor in Espionage Attacks

 

Check Point Research has discovered a sequence of cyberespionage attacks using a previously undisclosed backdoor named Stealth Soldier targeting Libyan organizations. This advanced malicious software is a customized modular backdoor that possesses surveillance capabilities.

Libyan organizations as the target and the malware infrastructure indicate the potential return of a threat actor referred to as "The Eye on the Nile." which was seen in action in 2019.

Diving into details

The Command and Control (C&C) network of Stealth Soldier is a component of a broader infrastructure that has been used, at least partially, for spear-phishing attacks targeting government entities.

• The infection commences with the downloader, which initiates the attack chain. While the precise method of delivery used by the downloader remains undisclosed, social engineering is considered a likely possibility.
• The most recent version of the implant was reportedly compiled in February 2023.
• The malware's infection procedure encompasses the retrieval of numerous files from the C&C server, including the loader, watchdog, and payload.

Let’s discuss its versions

Security experts have identified three distinct infection chains involving three different versions of Stealth Soldier malware: 6, 8, and 9. 

• Different versions vary by factors such as filenames, mutex names, XOR keys, and directory names. 
• Moreover, there is a discrepancy in the values assigned to the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key for persistence:
• "Cache" for Version 6
• "WinUpdate" for Version 8
• "DevUpdate" for Version 9

Nonetheless, the overall flow follows a similar pattern for different versions and exhibits the same underlying logic.

Attribution

• Check Point Research uncovered similarities between the present operation and the previously identified "Eye on the Nile" campaign, which Amnesty International and Check Point Research had associated with government-affiliated entities. 
• The presence of overlapping infrastructure implies a potential correlation between these two campaigns, highlighting the tenacity and flexibility of the threat actor responsible for their orchestration.

The bottom line

The recent Stealth Soldier malware campaign directed at Libyan organizations underscores the growing complexity of cyberespionage activities. The utilization of personalized backdoors and advanced surveillance functionalities presents substantial risks to the data security and privacy of the entities being targeted.

Botnet

         

A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.

Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.

Different Types of Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots

These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets

Types Of Botnet Attacks

Denial of Service Attacks

A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilised to increase the effects of an attack is also termed as spidering.

Spyware

It’s a software which sends information to its creators about a user’s activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

Adware

Its exists to advertise some commercial entity actively and without the user’s permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spamming and Traffic Monitoring

A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking applications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing emails.

Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim’s phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Keylogging and Mass Identity Theft

An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.

Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing emails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.

Botnet Spread

Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.

Pay-Per-Click Systems Abuse

Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.

Blockchain Technology

Blockchain technology is a new concept to understand, and its rapidly growing in every industry. In future technology virtual currency is the next stage of evolution of money.

The words block and chain were used separately in Satoshi Nakamoto’s original paper in October 2008, and when the term moved into wider use it was originally block chain, before becoming a single word, blockchain, by 2016. In August 2014, the bitcoin blockchain file size reached 20 gigabytes in size.

Blockchain technology have already placed in few countries. Funding and registration in the transport department in Australia. Real Estate department is growing fast by using BlockChain Technology in Dubai. Whereas Internal bank payments using BlockChain Technology in Singapore.

Bitcoin:

Bitcoin uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system.

Bitcoin is a cryptocurrency and a payment system invented by an unidentified programmer, or group of programmers, under the name of Satoshi Nakamoto. Bitcoin was introduced on 31 October 2008 to a cryptography mailing list, and released as open-source software in 2009. Currently Banks, Credit Cards are charging 7-10% average fee of transaction. But this is the benfit with Bitcoin Users get direct payment from anyone and anywhere in the world.

Technology:

Source: DUPress

As we know about Bitcoin is a Virtual currency and it soon to be include transfer of property and identity management. The public and private sectors will face new challenges, opportunities and responsibilities. Government sector is also coperation with Bitcoin technology to create innovative product and services.

Identity management is also the tranform in Blockchain technology. As we known there are many identities and documents were stolen in past years.

Identity Management forms:

• Passports
• Social Security numbers
• Driving License
• Tax Identification Number and more..

According to Forbes

• The Blockchain is a public ledger that records (providing ownership and time stamp) and validates every transaction made worldwide.
• What makes this network unique and secure is that all transactions are authorized and backed by thousands of computers (called miners), achieving consensus on each transaction.
• No one owns it (hence the term “decentralized”), and therefore it’s immutable and there’s no single point of attack for those attempting to “hack” or otherwise alter the records on the Blockchain registry.
• The technology enables peer to peer (P2P) transaction capabilities without any involvement of a central authority or a third party.

How it works?

Below graphic is showing cases.

WikiLeaks Website Gets Defaced By Hacking Group OurMine

WikiLeaks Website Gets Defaced By Hacking Group OurMine 

WikiLeaks website wikileaks.org just got defaced by a hacking group OurMine.

OurMine Hacking Group is already known for hacking into high profile social media accounts including Google CEO Sundar Pichai, Facebook CEO Mark Zuckerberg, former Twitter CEOs Dick Costolo and Ev Williams, Netflix, Sony, HBO.

Proper reason has still not been found how this website got hacked but it seems their DNS entries have been compromised using DNS poisoning attack.

As of Today morning, the WikiLeaks.orghomepage displayed a message that read: “Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

“Anonymous, remember when you tried to dox us with fake information for attacking wikileaks?” the message continues. “There we go! One group beat you all! #WikileaksHack lets get it trending on twitter!”

And here is the screenshot of the message which was shown on the website when it got hacked.

•