A threat actor known as Sharp Panda has been observed targeting government agencies in Southeast Asia using a toolset that was first discovered in 2021.
The Check Point Research (CPR) team described the new campaign in an advisory released today. While the 2021 confirmed campaign used a custom his backdoor called VictoryDll, the latest campaign the team confirmed utilizes a new version of the SoulSearcher loader and the Soul modular framework.
“Although samples of this framework from 2017 to 2021 have been previously analyzed, this report presents the infection chain of the Soul malware family, including a full technical analysis of the latest version compiled in late 2022. It’s the most extensive research to date,” CPR wrote.
According to the advisory, the samples analyzed were similar to those previously used by Sharp Panda, including the fact that the attacker’s C&C servers are geofenced and only return payloads to requests from IP addresses in the country where the target is located. It showed a similarity with the campaign.
Additionally, the loader used for initial access has data collection capabilities that capture information about hostname, OS name and version, system type (32/64 bit), user name, network adapter MAC address, and antivirus solution. I’m here.
“If the attacker determines that the victim’s machine is a likely target, the response from the server will contain the next stage executable in encrypted form and its MD5 checksum. Received After verifying the integrity of the received message, the downloader loads the decrypted DLL into memory and begins execution.
A second stage SoulSearcher loader is installed, followed by the Soul backdoor main module and parsing its configuration.
“Soul’s main module is responsible for communicating with the C&C server and its main purpose is to receive and load additional modules into memory,” CPR said. “Interestingly, the backdoor’s configuration includes features like ‘radio silence’, allowing the actor to specify certain times of the week when the backdoor is not allowed to communicate with her C&C server. ”
Discussing the module, the CPR team added that the Soul framework has been in use since at least 2017, but the actors behind it are continuously updating and improving it.
“Based on the technical findings presented in our research, we believe this campaign is being staged by advanced Chinese-backed threat actors. , function and positioning have not yet been investigated.”
The CPR advisory came months after another Chinese APT known as Vixen Panda was linked to attacks targeting the Iranian government.
