Malware with “radio silence” Mode Sneaks into Southeast Asian Entities

Category: Threat Actor Activity | Industries: Communication, Defense, Government, Healthcare, Technology | Level: Tactical | Source: Check Point

Running since 2021, a Chinese cyber-espionage operation 'Sharp Panda' is targeting high-profile government entities in Southeast Asian regions with spear-phishing attacks. Check Point Research followed the campaign closely and assesses the operation to be aimed at "particular nations with similar territorial claims or strategic infrastructure projects such as Vietnam, Thailand, and Indonesia." The campaign features a new version of the 'Soul' modular malware framework, armed with a "radio silence” mode in which "the actors can specify specific hours in a week when the backdoor is not allowed to communicate with the C&C server." Activity involving the Soul malware framework has been tied to attacks against organizations in defense, healthcare, and ICT (Information and Communication Technology) located in Southeast Asia however, no known cluster of malicious activity had been connected to it until now. Although it is unclear if a single threat actor utilizes the Soul framework, Check Point attributes the malware to an Advanced Persistent Threat (APT) group with Chinese roots.

In late 2022, new infection chains were observed involving the delivery of malicious DOCX file attachments, created from the RoyalRoad RTF kit, to exploit Equation Editor vulnerabilities and install malware on the host. The exploit creates a scheduled task for persistence and subsequently installs and runs a DLL malware downloader. This downloader retrieves a second DLL from the C2 server known as the SoulSearcher loader, which proceeds to create a registry key containing a compressed payload. The payload is decrypted and loaded into memory using the Soul modular backdoor, in an attempt to evade detection by antivirus tools on the compromised system. After being executed, the primary module of the Soul malware initiates a connection with the C2 server and remains idle until further modules are received. The stealth capabilities of the malware such as its "radio silence" feature are described by CheckPoint as an "advanced OpSec feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected.”

Anvilogic Scenario:

• Infection Chain with Equation Editor

Anvilogic Use Cases:

• Abuse EQNEDT32.EXE
• Create/Modify Schtasks
• Suspicious File written to Disk

‍