Chinese state-backed hacking group Sharp Panda has been found to be targeting government entities in Vietnam, Thailand, and Indonesia with a new version of the ‘Soul’ malware framework.
The campaign, identified by Check Point, began in late 2022 and continues through 2023, using spear-phishing attacks with malicious DOCX file attachments to deploy the RoyalRoad RTF kit to drop malware on the host.
The TTPs and tools used are consistent with previously seen activities by Sharp Panda, leading Check Point to attribute the latest espionage operation to state-backed Chinese hackers.
The Soul malware establishes a connection with the C2 and waits for additional modules that will extend its functionality. The new version analyzed by Check Point features a “radio silence” mode that allows the threat actors to specify the hours of the week that the backdoor should not communicate with the command and control server, likely to evade detection during the victim’s working hours.
Moreover, the new variant implements a custom C2 communication protocol that uses various HTTP request methods, including GET, POST, and DELETE.
Soul’s communication with the C2 begins by registering itself and sending victim fingerprinting data, after which it enters an infinite C2 contacting loop.
The commands it may receive during these communications concern loading additional modules, collecting and resending enumeration data, restarting the C2 communication, or exiting its process.
Check Point did not sample additional modules that might perform more specialized functions such as file actions, data exfiltration, keylogging, screenshot capturing, etc.
The Soul framework was first seen in the wild in 2017 and subsequently tracked throughout 2019 in Chinese espionage campaigns conducted by threat actors with no obvious links to Sharp Panda.
Despite the overlaps in the use of the tool, Check Point’s recent findings show that Soul is still under active development and deployment.
The use of malware like Soul highlights the need for organizations to remain vigilant and employ strong cybersecurity measures, including updating software regularly, conducting regular employee training, and deploying robust anti-malware tools.
