The Sharp Panda hacking group is using a new strain of the ‘Soul’ malware framework to launch cyber-espionage attacks on notable government organizations in Indonesia, Thailand, and Vietnam. Previous espionage campaigns targeting crucial organizations in Southeast Asia have employed the same malware, which was linked to various Chinese APTs.

Check Point has identified a new campaign that has been utilizing the malware since late 2022 through spear-phishing attacks aimed at initial compromise. Check Point was able to attribute the latest espionage operation to state-backed Chinese hackers by utilizing the C2 server addresses, and the RoyalRoad RTF kit and analyzing the hacker’s working hours. Sharp Panda previously observed activities that were consistent with the techniques, tactics, procedures (TTPs), and tools used in this operation.

Infection Chain

The latest campaign by Sharp Panda involves spear-phishing emails that contain malicious DOCX file attachments. These attachments utilize the RoyalRoad RTF kit to exploit older vulnerabilities in an attempt to drop malware onto the targeted host.

Upon successful exploitation of the RoyalRoad RTF kit, the attacker creates a scheduled task and deploys a DLL malware downloader. This downloader retrieves and executes a second DLL from the C2 server, known as the SoulSearcher loader. This loader creates a registry key that stores a value containing the final compressed payload. It then decrypts and loads the Soul modular backdoor into memory, aiding in its evasion of antivirus tools installed on the compromised system.

Soul Details

Once activated, Soul malware starts to establish a connection with the C2 and remains idle until it receives additional modules that enhance its capabilities.

The latest version of the Soul malware, as examined by Check Point, includes a “radio silence” mode that enables threat actors to specify particular hours during the week when the backdoor should not communicate with the command and control server. The purpose of this feature is likely to avoid detection during the target’s work hours. Check Point noted that this advanced operational security (OpSec) capability allows attackers to camouflage their communication flow among standard traffic and decrease the likelihood of detection.

In addition, the latest iteration of the malware employs a personalized command and control (C2) communication protocol that leverages various HTTP request methods such as GET, POST, and DELETE. The malware’s increased versatility is due to the inclusion of multiple HTTP methods; it uses GET to retrieve data and POST to submit data.

Soul malware establishes communication with the C2 server by initially registering itself and transmitting victim fingerprinting data, such as operating system type, hardware information, IP address and time zone. Following this, the malware enters an infinite loop of contacting the C2 server. Commands that the malware may receive during this process include loading additional modules, gathering and forwarding enumeration data, restarting the C2 communication, or terminating its existing process.

Check Point did not examine any supplementary modules that may have been responsible for executing specialized functions like data theft, capturing screenshots, file manipulation, and keystroke logging.

Soul Framework

The Soul framework was initially discovered in the wild in 2017 and was later observed in Chinese espionage campaigns throughout 2019, executed by threat actors with no apparent connection to Sharp Panda. Despite the tool’s use in prior attacks, Check Point’s recent investigation has revealed that Soul continues to undergo active development & deployment.