The threat actor known as Sharp Panda has been observed targeting Southeast Asian government entities with a toolset first discovered in 2021.
The Check Point Research (CPR) team described the new campaign in an advisory published earlier today. While the campaign seen in 2021 used a custom backdoor called VictoryDll, the latest one observed by the team leverages a new version of the SoulSearcher loader and the Soul modular framework.
“Although samples of this framework from 2017–2021 were previously analyzed, this report is the most extensive look yet at the Soul malware family infection chain, including a full technical analysis of the latest version, compiled in late 2022,” CPR wrote.
According to the advisory, the analyzed sample showed similarities with previous Sharp Panda campaigns, including the fact that the C&C servers of the attackers are geofenced and return payloads only to requests from the IP addresses of the countries where targets are located.
Further, the loader used for initial access features data gathering capabilities, capturing hostnames, OS names and versions, system types (32/64 bit), usernames, MAC addresses of networking adapters and information on antivirus solutions.
“If the threat actors find the victim’s machine to be a promising target, the response from the server contains the next stage executable in encrypted form and its MD5 checksum. After verifying the integrity of the received message, the downloader loads the decrypted DLL to memory and starts its execution,” reads the advisory.
The second-stage SoulSearcher loader is installed, which subsequently executes the Soul backdoor main module and parses its configuration.
“The Soul main module is responsible for communicating with the C&C server, and its primary purpose is to receive and load in memory additional modules,” CPR states. “Interestingly, the backdoor configuration contains a ‘radio silence’-like feature, where the actors can specify specific hours in a week when the backdoor is not allowed to communicate with the C&C server.”
Discussing the module, the CPR team added that, while the Soul framework has been used since at least 2017, the threat actors behind it have continuously been updating and refining it.
“Based on the technical findings presented in our research, we believe this campaign is staged by advanced Chinese-backed threat actors, whose other tools, capabilities and position within the broader network of espionage activities are yet to be explored.”
The CPR advisory comes a couple of months after a separate Chinese APT known as Vixen Panda was linked to attacks targeting the Iranian government.