The risk actor generally known as Sharp Panda has been noticed focusing on Southeast Asian authorities entities with a toolset first found in 2021.
The Examine Level Analysis (CPR) crew described the brand new marketing campaign in an advisory revealed earlier at the moment. Whereas the marketing campaign seen in 2021 used a customized backdoor referred to as VictoryDll, the most recent one noticed by the crew leverages a brand new model of the SoulSearcher loader and the Soul modular framework.
“Though samples of this framework from 2017–2021 had been beforehand analyzed, this report is probably the most in depth look but on the Soul malware household an infection chain, together with a full technical evaluation of the most recent model, compiled in late 2022,” CPR wrote.
In keeping with the advisory, the analyzed pattern confirmed similarities with earlier Sharp Panda campaigns, together with the truth that the C&C servers of the attackers are geofenced and return payloads solely to requests from the IP addresses of the international locations the place targets are situated.
Additional, the loader used for preliminary entry options information gathering capabilities, capturing hostnames, OS names and variations, system sorts (32/64 bit), usernames, MAC addresses of networking adapters and knowledge on antivirus options.
“If the risk actors discover the sufferer’s machine to be a promising goal, the response from the server comprises the subsequent stage executable in encrypted kind and its MD5 checksum. After verifying the integrity of the obtained message, the downloader masses the decrypted DLL to reminiscence and begins its execution,” reads the advisory.
The second-stage SoulSearcher loader is put in, which subsequently executes the Soul backdoor primary module and parses its configuration.
“The Soul primary module is chargeable for speaking with the C&C server, and its major function is to obtain and cargo in reminiscence extra modules,” CPR states. “Curiously, the backdoor configuration comprises a ‘radio silence’-like characteristic, the place the actors can specify particular hours in per week when the backdoor isn’t allowed to speak with the C&C server.”
Discussing the module, the CPR crew added that, whereas the Soul framework has been used since at the least 2017, the risk actors behind it have repeatedly been updating and refining it.
“Primarily based on the technical findings introduced in our analysis, we consider this marketing campaign is staged by superior Chinese language-backed risk actors, whose different instruments, capabilities and place inside the broader community of espionage actions are but to be explored.”
The CPR advisory comes a few months after a separate Chinese language APT generally known as Vixen Panda was linked to assaults focusing on the Iranian authorities.