The menace actor recognised as Sharp Panda has been noticed focusing on Southeast Asian authorities entities with a toolset first uncovered in 2021.
The Test Issue Investigate (CPR) crew described the new campaign in an advisory released previously nowadays. Though the marketing campaign seen in 2021 made use of a customized backdoor named VictoryDll, the latest one observed by the staff leverages a new model of the SoulSearcher loader and the Soul modular framework.
“Although samples of this framework from 2017–2021 had been previously analyzed, this report is the most considerable glance however at the Soul malware spouse and children an infection chain, such as a comprehensive complex analysis of the most up-to-date version, compiled in late 2022,” CPR wrote.
According to the advisory, the analyzed sample confirmed similarities with previous Sharp Panda strategies, like the point that the C&C servers of the attackers are geofenced and return payloads only to requests from the IP addresses of the nations wherever targets are positioned.
Further more, the loader employed for original accessibility features data collecting capabilities, capturing hostnames, OS names and variations, program kinds (32/64 little bit), usernames, MAC addresses of networking adapters and info on antivirus options.
“If the menace actors uncover the victim’s equipment to be a promising focus on, the response from the server contains the future stage executable in encrypted sort and its MD5 checksum. Just after verifying the integrity of the received concept, the downloader loads the decrypted DLL to memory and begins its execution,” reads the advisory.
The next-stage SoulSearcher loader is set up, which subsequently executes the Soul backdoor primary module and parses its configuration.
“The Soul major module is responsible for speaking with the C&C server, and its principal intent is to receive and load in memory extra modules,” CPR states. “Interestingly, the backdoor configuration has a ‘radio silence’-like element, wherever the actors can specify precise hours in a 7 days when the backdoor is not allowed to connect with the C&C server.”
Talking about the module, the CPR crew included that, when the Soul framework has been employed since at least 2017, the threat actors guiding it have consistently been updating and refining it.
“Based on the technical conclusions introduced in our analysis, we believe this marketing campaign is staged by innovative Chinese-backed risk actors, whose other tools, capabilities and placement inside the broader network of espionage routines are however to be explored.”
The CPR advisory will come a couple of months after a different Chinese APT recognised as Vixen Panda was connected to assaults concentrating on the Iranian governing administration.
Some parts of this article are sourced from:
www.infosecurity-journal.com