Attributed to Eli Smadja, Research Group Manager at Check Point Software
Check Point Research (CPR) sees the expansion of an ongoing cyber espionage campaign to target more Southeast Asian governments, including Vietnam, Thailand, and Indonesia.
In June 2021, CPR identified a Chinese APT group named SharpPanda using spear-phishing and Microsoft vulnerabilities to gain access to target networks. CPR continued to track SharpPanda’s activity since then, learning of a cyber attack on a high-profile government entity in late 2022.
The payload in this specific attack leverages what’s known as the Soul modular framework, a previously unattributed modular malware framework. While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities.
The attack begins as a phishing attack with a malicious document containing a remote template with an exploit. The exploit runs a built-in downloader, which helps run the Soul backdoor.
Eli Smadja, Research Group Manager at Check Point Software shares “We’re seeing a long-running Chinese cyber-espionage operation targeting South East Asian government entities, including Vietnam, Thailand and Indonesia. There’s an interesting connection between two attack tool set for the first time. Based on the technical findings presented in this research, we believe this campaign is staged by advanced Chinese-backed threat actors, whose other tools, capabilities and position within the broader network of espionage activities are yet to be explored."
Eli added "While Sharp Panda’s previous campaigns delivered a custom and unique backdoor called VictoryDll, the payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework. Usually, the attack starts as a phishing attack with a malicious document containing a remote template with a Royalroad exploit. The exploit runs a built-in downloader and then downloads the second stage of Soul framwork, which runs the Soul backdoor. Although the samples of this framework from 2017-2021 were analysed before, this is the most extensive infection chain of the Soul malware family to be documented, including the full technical analysis of the latest version, compiled in late 2022.”
0 Comment Log in or register to post comments