VTA-00439 – APT Group – Sharp Panda Used New Soul Framework Version to Target Governments in Southeast Asia
A cyber espionage campaign has been underway since late last year, targeting high-profile government entities in Southeast Asia. The Chinese threat actor behind the campaign, known as Sharp Panda, has been using a new version of the Soul modular framework, which represents a significant departure from the group’s previous attack chains. Israeli cybersecurity firm Check Point reported that the long-running campaign has historically targeted countries such as Vietnam, Thailand, and Indonesia. Check Point first documented Sharp Panda in June 2021, describing it as a highly organized operation that has made significant efforts to remain undetected.
In October 2021, Broadcom’s Symantec reported that an unattributed espionage operation was targeting the defense, healthcare, and ICT sectors in Southeast Asia using the Soul backdoor. Further research published by Fortinet FortiGuard Labs in February 2022 revealed that the Soul backdoor’s origins date back to October 2017, with the malware repurposing code from Gh0st RAT and other publicly available tools.
The attack chain used by Sharp Panda starts with a spear-phishing email containing a lure document that leverages the Royal Road Rich Text Format (RTF) weaponizer to drop a downloader by exploiting one of several vulnerabilities in the Microsoft Equation Editor. The downloader is designed to retrieve a loader known as SoulSearcher from a geofenced command-and-control (C&C) server that only responds to requests originating from IP addresses corresponding to the targeted countries.
The loader then downloads, decrypts, and executes the Soul backdoor and its other components, enabling the adversary to harvest a wide range of information. The Soul main module is responsible for communicating with the C&C server, and its primary purpose is to receive and load additional modules into memory. Interestingly, the backdoor configuration contains a “radio silence”-like feature, where the actors can specify specific hours in a week when the backdoor is not allowed to communicate with the C&C server.
The findings suggest that Chinese advanced persistent threat (APT) groups often share tools to facilitate intelligence gathering. While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities. Check Point notes that the campaign is likely staged by advanced Chinese-backed threat actors, and their other tools, capabilities, and position within the broader network of espionage activities are yet to be explored.
Email, Web Application
Collection, Command and Control, Defense Evasion, Execution, Persistence
T1566 – Spearphishing
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter
T1547 – Boot or Logon Autostart Execution
T1132 – Data Encoding
T1027 – Obfuscated Files or Information
T1497 – Time Based Evasion
T1005 – Data from Local System
SuperPRO’s Threat Countermeasures Procedures:
1) Implement email security measures to detect and block spearphishing attacks: Organizations should use email security solutions that can scan emails for malicious attachments, links, or suspicious content, and block or quarantine them before they reach the end-users.
2) Apply security updates and patches regularly: Sharp Panda leveraged vulnerabilities in the Microsoft Equation Editor to drop the downloader. Therefore, it is important to ensure that all software and systems are up-to-date with the latest security patches and updates.
3) Use multi-factor authentication: To protect against credential theft and account takeover, organizations should enforce the use of multi-factor authentication (MFA) for all accounts and services that are accessible over the internet.
4) Implement network segmentation: Organizations should segment their networks to minimize lateral movement by attackers in case of a successful compromise. This means separating sensitive data and critical systems from less secure ones and restricting access to only authorized personnel.
5) Implement threat intelligence and detection tools: Organizations should use threat intelligence feeds and detection tools that can monitor and alert on suspicious network activity, including indicators of compromise associated with Sharp Panda’s tactics and techniques.
6) Conduct regular security awareness training: Organizations should educate their employees about the risks of spearphishing attacks and other social engineering tactics and train them to be vigilant against suspicious emails and links.
7) Follow the principle of least privilege: To limit the impact of successful attacks, organizations should follow the principle of least privilege and ensure that users have only the minimum access necessary to perform their job functions.
8) Conduct regular security assessments: Organizations should regularly assess their networks and systems for vulnerabilities and misconfigurations and remediate them promptly.
Contributed by: Sazcomingo