Chris Swagler | March 13th, 2023

Sharp Panda, a cyber-espionage threat operator group, is using a new version of the “Soul” malware framework to target high-profile government agencies in Vietnam, Thailand, and Indonesia. Previously, the malware was seen in espionage efforts targeting major Southeast Asian organizations and was connected to numerous Chinese APTs. A cybersecurity company discovered a new malware campaign that began in late 2022 and continued through 2023, using spear-phishing attempts for initial infiltration. The cybersecurity company was able to identify the newest espionage operation to state-backed Chinese threat operators because of the group using the RoyalRoad RTF kit, C2 server addresses, and the threat operator’s working hours. Sharp Panda’s TTP and tools are consistent with earlier operations.

Sharp Panda’s current operation employs spear-phishing emails with malicious DOCX file attachments that use the RoyalRoad RTF kit to try to exploit previous vulnerabilities and drop malware on the host. The exploit generates a scheduled task to drop and execute a DDL malware downloader, which acquires and executes a second DLL, the SoulSearcher loader, from the C2 server. The second DDL produces a registry key with the final compressed payload’s value, decrypts, and loads the Soul modular backdoor into memory, allowing it to avoid detection by antivirus programs operating on the compromised systems.

Following the execution, the Soul malware’s primary module connects to the C2 and waits for other modules that would increase its capability. The cybersecurity company examined the new version equipped with a “radio silence” mode that allows the threat actors to define hours of the week when the backdoor shouldn’t communicate with the command-and-control server, allowing the threat actors to avoid detection during victims’ working hours. According to the cybersecurity company, it’s a sophisticated OpSec feature allows threat actors to mix their communication flow into general traffic, reducing the likelihood of detecting network communications. Additionally, the new variant employs a unique C2 communication protocol that uses numerous HTTP request methods, including GET, POST, and DELETE. Capability for numerous HTTP methods provides malware flexibility, as GET is used to retrieve data and POST is used to submit data.

Soul’s communication with the C2 starts with registering itself and delivering victims’ fingerprinting data (hardware details, OS type, time zone, and IP address), followed by an unlimited C2 contacting loop. During the communications, it can receive the commands to load more modules, gather and resend enumeration data, restart the C2 communication, or exit its operation. The cybersecurity company didn’t test any other modules that could conduct more specific operations, including file actions, data exfiltration, keylogging, and screenshot capturing. The Soul framework first appeared in the wild in 2017 and has been tracked in Chinese espionage campaigns carried out by threat actors with no connection to Sharp Panda. Even with the overlap in tool usage, the cybersecurity company’s recent findings indicate that Soul is currently under active development and deployment.

With new and current malware variants developing new methods and techniques to avoid detection, it’s important for companies to stay on top of the current threat landscape and regularly update their network security infrastructure. At SpearTip, we offer tabletop exercises that are custom designed to strengthen the collaboration among company leaders and promote a common understanding of how leadership teams respond to incidents. The exercises are based on the current tactics, techniques, and procedures threat actors are employing and the perceived gaps in their current IR plan. After the exercise, our engineers identify key findings, opportunities for improvement, and key takeaways related to current policies and procedures to strengthen their ongoing security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.