A prominent government agency in Southeast Asia has been the target of cyber espionage campaigns conducted by a Chinese threat actor known as Sharp Panda since late last year.
The intrusion is characterized by the use of a new version of the Soul modular framework, which marks a departure from the group’s attack chain observed in 2021.
Israeli cybersecurity firm Check Point said it has historically chosen countries such as Vietnam, Thailand and Indonesia for its “long-term” activity. The Sharp Panda was first documented by the company in June 2021, described as “a highly orchestrated operation that went to great lengths to stay under the radar.”
Interestingly, the use of the Soul backdoor was detailed by Broadcom’s Symantec in October 2021. This is related to an unexplained espionage campaign targeting defense, healthcare, and ICT sectors in Southeast Asia.
According to research published in February 2022 by Fortinet FortiGuard Labs, the origin of this implant dates back to October 2017, and the malware diverted code from the Gh0st RAT and other public tools.
The attack chain detailed by Check Point utilizes the Royal Road Rich Text Format (RTF) weaponizer to launch a spear containing a lure document that drops a downloader by exploiting one of several vulnerabilities in the Microsoft equation editor. It starts with a phishing email.
The downloader is then designed to retrieve a loader known as SoulSearcher from a geofenced command and control (C&C) server. This loader will only respond to requests originating from IP addresses corresponding to the target country.
The loader is then responsible for downloading, decrypting, and executing the Soul backdoor and other components, thereby allowing the adversary to gather a wide range of information.
“Soul’s main module is responsible for communicating with the C&C server and its main purpose is to receive additional modules and load them into memory,” said Check Point.
Discover the latest malware evasion tactics and defense strategies
Ready to smash the 9 most dangerous myths about file-based attacks? Join our upcoming webinar and become a hero in the fight against patient zero infections and zero-day security events!
reserve a seat
“Interestingly, the backdoor’s configuration includes features like ‘radio silence’, allowing the actor to specify certain times of the week when the backdoor is not allowed to communicate with the C&C server.”
The findings are another sign of widespread sharing of tools to facilitate intelligence gathering among Chinese Advanced Persistent Threat (APT) groups.
“Although the Soul framework has been in use since at least 2017, the threat actors behind it have continually updated and refined its architecture and functionality,” the company said.
It further stated that the campaign was “likely staged by advanced Chinese-backed threat actors, and other tools, capabilities and positioning within the broader network of espionage operations have yet to be explored.” I’m here.
