HQ/EMEAFind out how we can help your business
An enhanced version of the ‘Soul’ malware run by the Sharp Panda cyberespionage gang has been spotted in the wild, targeting government agencies in Southeast Asian countries. Most of the attacks from this Chinese-backed group are directed against Vietnam, Thailand, and Indonesia.
This campaign’s initial compromise vector is spear-phishing attacks, intending to spread the malware to the victim’s networks. Researchers first saw these malicious activities from the group in the latter part of 2022, which continued until this year.
A malicious DOCX file is attached to the spear-phishing email that would inject the Soul malware into victims’ computers.
According to investigations, once a victim opens the attached DOCX file, it will deploy the RoyalRoad RTF kit that attempts to exploit existing flaws in the victim’s system. Upon finding an appropriate location, the kit will drop the Soul malware.
The RoyalRoad RTF kit’s exploit will create a scheduled task before dropping a DLL malware downloader. The DLL will fetch and launch a second one (SoulSearcher loader) from the attackers’ remote server.
SoulSearcher loader will then create a registry key that could launch the final compressed payload. Then, it will decrypt and load the Soul malware into the machine’s memory, which is vital to evading security detection. The malware will promptly connect with the attacker-controlled C2 server while additional modules are sent for its extended functionalities.
Experts also underline the threat group’s use of a “radio silence” feature, which specifies specific hours in a week that the compromised machine should not communicate with the C2 server, especially during working hours.
The Soul malware will communicate with the attackers by sending fingerprinting data from the compromised host, such as OS type, IP address, and hardware details. Some of the commands the malware could receive from the attackers are collecting data, loading additional payloads, restarting C2 communication, or shutting down activities.
Since this campaign is targeted against high-profile government groups, experts advise enhancing security in this pursued sector.
