Sharp Panda’s new “SoulSearcher” malware framework is targeting high-profile government agencies in Vietnam, Thailand, and Indonesia. Chinese APTs used the virus to spy on vital Southeast Asian organizations. Check Point found a spear-phishing-based malware campaign that started in late 2022 and continues into 2023.
The latest Sharp Panda operation sends spear-phishing emails with malicious DOCX file attachments that employ the RoyalRoad RTF kit to exploit previous vulnerabilities to drop malware on the host. The exploit generates a scheduled job and drops and executes a DLL malware downloader, which acquires and executes the SoulSearcher loader DLL from the C2 server. Sharp Panda uses similar TTPs and tools.
This second DLL produces a registry key with the final compressed payload and decrypts and loads the Entire modular backdoor into memory, evading antivirus tools on the infiltrated system. After execution, Soul malware’s core module connects to the C2 and waits for new modules to expand its capability.
Check Point’s new version has a “radio quiet” setting that lets threat actors choose when hours of the week the backdoor should not connect with the command and control server, likely to avoid detection during the victim’s working hours. “This is an advanced OpSec capability that allows players to blend their communication flow into ordinary traffic and lower the odds of network communication being detected,” Check Point said.
Radio Quiet Settings For Backdoor And Control Server
The new variant leverages GET, POST, and DELETE HTTP request methods for its own C2 communication protocol. Because GET retrieves data and POST submits data, the malware has flexibility. After enrolling and providing victim fingerprinting data (hardware, OS, time zone, IP address), Soul enters an indefinite C2 contacting loop.
These communications may involve loading additional modules, collecting and resending enumeration data, restarting the C2 conversation, or closing its operation. Check Point did not sample modules for file actions, data exfiltration, keylogging, screenshot taking, etc.
The Soul architecture was initially seen in 2017 and monitored throughout 2019 in Chinese espionage activities by threat actors unrelated to Sharp Panda. Check Point’s newest discoveries demonstrate that Soul is still being developed and deployed, despite overlaps.
The SoulSearcher Structure
The Soul modular architecture has been studied since 2017, and experts think it is still developing. Sharp Panda is one of many Chinese organizations that have utilized this technique in the past.
- The most recent version of the Soul backdoor includes radio silence, an original OpSec capability. The malware can no longer connect with the C2 during any period of the day or week the attacker chooses.
- The chances of detection decrease if the attacker sets it up to maintain virus flow in time with the victim’s working hours.
- Furthermore, it uses a customized protocol for C2 communications that makes use of HTTP request methods like GET, POST, and DELETE to give users more flexibility and discretion while communicating.
China state-sponsored cyberespionage organization Sharp Panda is spear-phishing Thai, Indonesian, and Vietnamese government agencies with upgraded Soul malware. Check Point found DOCX attachments in Sharp Panda spear-phishing emails that provide RoyalRoad RTF kits. RoyalRoad uses older vulnerabilities to create scheduled tasks and execute a DLL malware downloader, which retrieves the “SoulSearcher loader” DLL and loads Soul malware.
Researchers found Soul malware modified to include a “radio quiet” mode that allows the backdoor to avoid detection by not communicating with the command-and-control server during certain hours. “This is an advanced OpSec feature that allows actors to mix their communication flow into ordinary traffic and lower the odds of network communication being detected,” researchers added. Check Point said the upgraded Soul malware supports many HTTP request techniques, increasing its adaptability.