New malware variant has “radio silence” mode to evade detection

Hacker shhhing

The Sharp Panda cyber-espionage hacking group is focusing on high-profile authorities entities in Vietnam, Thailand, and Indonesia with a brand new model of the ‘Soul’ malware framework.

The actual malware was beforehand seen in espionage campaigns focusing on vital Southeast Asian organizations, attributed to numerous Chinese language APTs.

Check Point recognized a brand new marketing campaign utilizing the malware that began in late 2022 and continues by way of 2023, using spear-phishing assaults for preliminary compromise.

The usage of the RoyalRoad RTF equipment, C2 server addresses, and the hacker’s working hours allowed Examine Level to attribute the newest espionage operation to state-backed Chinese language hackers. The TTPs and instruments are in keeping with beforehand seen actions by Sharp Panda.

An infection chain

The brand new Sharp Panda marketing campaign makes use of spear-phishing emails with malicious DOCX file attachments that deploy the RoyalRoad RTF equipment to try to use older vulnerabilities to drop malware on the host.

On this case, the exploit creates a scheduled activity after which drops and executes a DLL malware downloader, which in flip fetches and executes a second DLL from the C2 server, the SoulSearcher loader.

This second DLL creates a registry key with a worth that incorporates the ultimate compressed payload after which decrypts and masses the Soul modular backdoor into reminiscence, serving to it evade detection from antivirus instruments operating on the breached system.

Infection chain
An infection chain (Examine Level)

Soul particulars

Upon execution, the principle module of the Soul malware establishes a reference to the C2 and waits for extra modules that can prolong its performance.

The brand new model analyzed by Examine Level encompasses a “radio silence” mode which permits the risk actors to specify the precise hours of the week that the backdoor mustn’t talk with the command and management server, more likely to evade detection throughout the sufferer’s working hours.

“That is a sophisticated OpSec function that enables the actors to mix their communication move into normal visitors and reduce the probabilities of community communication being detected.” defined Examine Level.

Main backdoor configuration
Major backdoor configuration (Examine Level)

Furthermore, the brand new variant implements a customized C2 communication protocol that makes use of varied HTTP request strategies, together with GET, POST, and DELETE.

Assist for a number of HTTP strategies provides the malware flexibility, as GET is used for retrieving information, POST for submitting information.

Soul’s communication with the C2 begins by registering itself and sending sufferer fingerprinting information ({hardware} particulars, OS sort, time zone, IP handle), after which it enters an infinite C2 contacting loop.

Victim enumeration data
Sufferer enumeration information (Examine Level)

The instructions it might obtain throughout these communications concern loading further modules, accumulating and resending enumeration information, restarting the C2 communication, or exiting its course of.

Commands supported by Soul
Instructions supported by Soul (Examine Level)

Examine Level didn’t pattern further modules which may carry out extra specialised features equivalent to file actions, information exfiltration, keylogging, screenshot capturing, and so forth.

The Soul framework was first seen within the wild in 2017 and subsequently tracked all through 2019 in Chinese language espionage campaigns performed by risk actors with no apparent hyperlinks to Sharp Panda.

Regardless of the overlaps in using the software, Examine Level’s latest findings present that Soul remains to be below lively improvement and deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *