High-profile government organizations in Vietnam, Thailand, and Indonesia are targeted by the Sharp Panda cyberespionage hacking gang using a new version of the “Soul” malware architecture. The specific malware was previously observed in spying operations against important Southeast Asian businesses, and it was ascribed to numerous Chinese APTs.
Check Point discovered a novel malware campaign that employed spear-phishing attempts to gain entry in late 2022 and last into 2023. Check Point was also able to find Chinese hackers operating on behalf of the Chinese government by using the RoyalRoad RTF kit, C2 server addresses, and the hacker’s working hours. The TTPs and tools are compatible with Sharp Panda actions that have already been observed.
The RoyalRoad RTF kit is used by the new Sharp Panda campaign’s spear-phishing emails with malicious DOCX file attachments to attack previous vulnerabilities and install malware on the host. In this instance, the exploit first creates a scheduled task before dropping and launching a DLL malware downloader, which in turn downloads and launches a second DLL, the SoulSearcher loader, from the C2 server.
This second DLL decrypts and loads the Soul modular backdoor into memory, helping it elude detection from antivirus technologies operating on the compromised machine. It then generates a registry key with a value that holds the final compressed payload. Following the execution, the Soul malware’s primary module connects to the C2 and waits for auxiliary modules to expand its capabilities.
The newly released version that Check Point examined has a “radio silence” mode that lets threat actors specify the specific times of the week that the backdoor should not communicate with the command-and-control server. This feature is most likely used to avoid detection during the victim’s working hours. The new version also provides a customized C2 communication protocol that makes use of GET, POST, and DELETE, among other HTTP request methods.
“This is an advanced OpSec feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected,” explained Check Point.
Given that GET is used for data retrieval and POST is used for data submission, the malware is flexible due to support for numerous HTTP methods. Before entering an endless C2 contacting loop, Soul registers itself with the C2 and sends victim fingerprinting information (hardware specifications, OS type, time zone, IP address).
It may receive instructions to load further modules, gather and submit enumeration data again, resume the C2 link, or stop its process during these communications. Additional modules from Check Point that may carry out more specific tasks like file actions, data exfiltration, keylogging, snapshot taking, etc., were not sampled.
In Chinese espionage efforts carried out by threat actors with no evident connections to Sharp Panda, the Soul framework was first observed in the wild in 2017 and followed through 2019. Check Point’s most recent data reveal that Soul is still under active development and deployment despite tool usage overlaps.