CPR uncovers cyber espionage campaign targeting SEA governments
Check Point Research (CPR) has revealed an ongoing cyber espionage campaign expand to target more Southeast Asian governments, including Vietnam, Thailand and Indonesia.
Attributed to Chinese APT group SharpPanda, the campaign uses a malware framework called “Soul” to steal information and spy on government activities.
CPR has released a new report that extensively details the infection chain of the Soul malware family.
In late 2022, a campaign with an initial infection vector similar to previous Sharp Panda operations targeted a high-profile government entity in the region. Payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework.
Although the Soul malware framework was previously seen in an espionage campaign targeting the defence, healthcare, and ICT sectors in Southeast Asia, it was never previously attributed or connected to any known cluster of malicious activity, CPR states.
According to CPR, this is an expansion of an ongoing cyber espionage campaign to target more Southeast Asian governments, including Vietnam, Thailand, and Indonesia.
In June 2021, CPR identified SharpPanda was using spear-phishing and Microsoft vulnerabilities to gain access to target networks. CPR continued to track SharpPanda’s activity, learning of a cyber attack on a high-profile government entity in late 2022. While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities.
The attack begins as a phishing attack with a malicious document containing a remote template with an exploit. The exploit runs a built-in downloader, which helps run the Soul backdoor. Although the Soul malware framework was previously seen by Semantic in an espionage campaign targeting the defense, healthcare, and ICT sectors in South East Asia, it was never previously attributed or connected to any known cluster of malicious activity.
CPR states it is uncertain whether the Soul framework is solely utilised by a single threat actor. The connection between the tools of Sharp Panda and the previously mentioned attacks in South East Asia serve as another example of key characteristics inherent to China-based APT operations, such as sharing of custom tooling between the groups or task specialisation of threat actors, where one entity is responsible for the initial infection and another one is for actual intelligence gathering.
Ultimately, CPR attributes the cyber espionage campaign to an APT group with Chinese origins, whose motive is to steal data and spy on government entities.
Eli Smadja, Research Group Manager at Check Point Software, says, "Based on the technical findings presented in this research, we believe this campaign is staged by advanced Chinese-backed threat actors, whose other tools, capabilities and position within the broader network of espionage activities are yet to be explored. While Sharp Panda’s previous campaigns delivered a custom and unique backdoor called VictoryDll, the payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework.
"Usually, the attack starts as a phishing attack with a malicious document containing a remote template with a Royalroad exploit. The exploit runs a built-in downloader and then downloads the second stage of Soul framework, which runs the Soul backdoor. Although the samples of this framework from 2017-2021 were analysed before, this is the most extensive infection chain of the Soul malware family to be documented, including the full technical analysis of the latest version, compiled in late 2022.”