China-linked APT group Sharp Panda is concentrating on high-profile authorities entities in Southeast Asia with the Soul modular framework.
CheckPoint researchers noticed in late 2022 a marketing campaign attributed to the China-linked APT group Sharp Panda concentrating on a high-profile authorities entity in Southeast Asia.
State-sponsored hackers used a brand new model of the SoulSearcher loader, which ultimately masses a brand new model of the Soul modular framework.
The researchers famous that that is the primary time the Soul malware framework has been attributed to a identified group of malicious exercise, though it was beforehand utilized in assaults aimed on the protection, well being and ICT sectors in Southeast Asia. The researchers can not exclude that the Soul framework is utilized by a number of menace actors within the space.
“The connection between Sharp Panda’s instruments and TTPs (ways, strategies, and procedures) and the aforementioned assaults in Southeast Asia may function one other instance of the important thing options inherent in APT operations in China, akin to sharing customized instruments between teams. . or activity specialization, the place one entity is answerable for the preliminary an infection and one other performs the precise intelligence gathering.” learn the evaluation Posted by specialists.
CheckPoint researchers first recognized Sharp Pands exercise in early 2021, when the APT group was concentrating on authorities entities in Southeast Asia with focused phishing assaults.
The attackers used a Phrase doc with government-related decoys that relied on a distant template to obtain and execute a malicious RTF doc, armed with the notorious RoyalRoad equipment.
Upon establishing itself on the goal system, the malware initiates a sequence of fileless loaders, together with a customized DLL downloader referred to as downloader 5.t and a second-stage charger that delivers the ultimate tailgate.
The final stage payload utilized in Sharp Panda campaigns on the time was the VictoryDll customized backdoor.
The specialists detailed a number of campaigns concentrating on entities in Southeast Asian nations, akin to Vietnam, Indonesia and Thailand. Over time, the preliminary a part of the an infection chain (utilizing Phrase paperwork, RoyalRoad RTF, and 5.t Downloader) remained the identical, however in early 2023, the VictoryDll backdoor was changed with a brand new model of the SoulSearcher loader.
To solely goal the group in Southeast Asia, the attackers used a geo-fenced C&C server. The SoulSearcher loader is used to obtain, decrypt and cargo into reminiscence different modules of the Soul modular backdoor.
The principle module of the Soul malware has the duty of speaking with the C&C server and its most important function is to obtain and cargo further modules into reminiscence. One of many extra attention-grabbing options supported by the backdoor is “radio silence”, which permits menace actors to specify particular occasions in per week when the backdoor can not talk with the C2 server.
The newest backdoor pattern (compiled on 2022/11/29 02:12:34 UTC) is kind of completely different from samples beforehand analyzed by specialists. The brand new model of SoulBackdoor implements a brand new customized C2 protocol and a brand new set of API endpoints. The researchers seen that C&C requests comprise further HTTP request headers. The C2 instructions supported with the newer variant have been primarily targeted on loading further modules, whereas missing any sort of widespread backdoor performance, akin to manipulating native information, sending information to the C&C, and executing distant instructions.
“The final phases of the an infection chain within the described marketing campaign are primarily based on Soul, a beforehand unattributed modular malware framework. Whereas the Soul framework has been in use since at the very least 2017, the menace actors behind it have been consistently updating and refining its structure and capabilities. Based mostly on the technical findings introduced in our investigation, we imagine this marketing campaign is organized by Chinese language-backed superior menace actors, whose different instruments, capabilities, and place throughout the broader community of espionage actions have but to be explored.” concludes the report.
Observe me on twitter: @safetyissues and Fb and Mastodon
(Safety Points – hacking, Sharp Panda)
Sharp Panda targets government entities in Southeast AsiaSecurity Affairs