Check Point Research traces the evolution of Sharp Panda tools into a newer Soul malware framework used against Southeast Asian government entities, culminating in late-2022 activity that loaded the Soul modular backdoor. The report links these campaigns to a Chinese-origin APT, highlighting a modular, in-memory framework with geofenced C2 and evolving loader chains. #SoulBackdoor #SharpPanda
Keypoints
- Late-2022 campaign targeted a high-profile government entity in Southeast Asia with infection chains tied to Sharp Panda.
- The payload shifted from VictoryDll to a new version of the SoulSearcher loader, which loads the Soul modular backdoor.
-
MITRE Techniques
- [T1566.001] Phishing β Spearphishing Attachment β The attackers used spear-phishing emails to gain initial access to the targeted networks. βThe attackers used spear-phishing emails to gain initial access to the targeted networks.β
- [T1218.011] Signed Binary Proxy Execution: Rundll32 β The downloader is executed via rundll32.exe, StartA. βThe downloader, which in this specific case was dropped by RoyalRoad RTF to the disk as res6.a, is executed by a scheduled task with rundll32.exe, StartA.β
- [T1053.005] Scheduled Task β The downloader is executed by a scheduled task (Rundll32). βThe downloader, which in this specific case was dropped by RoyalRoad RTF to the disk as res6.a, is executed by a scheduled task with rundll32.exe, StartA.β
- [T1055] Process Injection β In-memory loading and execution of a loaded DLL via the StartW export. βloads the decrypted DLL to memory and starts its execution from the StartW export.β
- [T1112] Modify Registry β The loader stores configuration in the registry as part of the backdoorβs payload flow. βThe newest version loads the config from a hardcoded Base64 string and stores it in the registry path HKEY_CURRENT_USERSOFTWAREMicrosoftCTFCONFIGEX.β
- [T1027] Obfuscated/Compressed Files and Information β The framework uses RC4+Base64 and string encryption to conceal communications and data. βthe encoding method using RC4+Base64 remained consistent in all cases.β
- [T1543.003] Create/Modify Windows Service β The configuration includes a service section to install the backdoor as a service. βThe service ( β¦) defines the parameters for the backdoor to be installed as a service.β
- [T1071.001] Web Protocols β The Soul backdoor communicates over HTTP(S) with various methods (GET, POST, DELETE). βThe backdoor uses HTTP communicationβ¦ uses various HTTP request methods such as GET, POST, and DELETE.β
- [T1082] System Information Discovery β The backdoor enumerates system information before contacting C2. βThe backdoor performs a full system enumeration and collects the following data: β¦β
Indicators of Compromise
- [IP Address] C2 servers β 45.76.190.210, 45.197.132.68, and 103.159.132.96
- [Domain] C2 domain β office.oiqezet.com
- [Hash] Phishing documents β 32a0f6276fea9fe5ee2ffda461494a24a5b1f163a300bc8edd3b33c9c6cc2d17, ca7f297dc04acad2fab04d5dc2de9475aed4186805f6c237c10b8f56b384cf30
- [Hash] External template (RoyalRoad RTF) β 81d9e75d279a953789cbbe9ae62ce0ed625b61d123fef8ffe49323a04fecdb3f, 12c1a4c6406ff378e8673a20784c21fb997180cd333f4ef96ed4873530baa8d3
- [Hash] 5.t Downloader β 0f9f85d41da21781933e33dddcc5f516c5ec07cc5b4cff53ba388467bc6ac3fd, 17f4a21e0e8c0ce958baf34e45a8b9481819b9b739f3e48c6ba9a6633cf85b0e
- [Hash] SoulSearcher β d1a6c383de655f96e53812ee1dec87dd51992c4be28471e44d7dd558585312e0
- [Hash] Soul Backdoor β df5fe7ec6ecca27d3affc901cb06b27dc63de9ea8c97b87bc899a79eca951d60