In 2021, Check Point said Chinese hacking groups were targeting employees of government agencies in Southeast Asia. Its latest report sheds more light on the toolset used in the campaign dubbed “Sharp Panda.” According to Check Point, Chinese hackers are using a new variant of the SoulSearcher malware in these attacks. Although the Soul malware family has been around for over five years, the new version highlighted in this report has some unique features, including a “radio silence” mode to evade detection. “While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities,” Check Point said.
Sharp Panda’s ‘Advanced OpSec’ Features
Check Point described the new “radio silence” feature as “an advanced OpSec [operational security] feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected.” “While Sharp Panda’s previous campaigns delivered a custom and unique backdoor called VictoryDll, the payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework,” the report said. Chinese hackers were previously observed targeting the defense, healthcare, and ICT sectors in Southeast Asian countries. It is unclear whether this is a single threat actor or a group. The similarity between the previous attacks and the current Tactics, Techniques, and Procedures (TTPs) of Sharp Panda suggests that China-based APT groups share custom tools and may delegate one entity for initial infection while another is responsible for cyber-espionage intelligence gathering, Check Point added.
Phishing Emails Contain ‘Government-Themed Lures’
Despite the upgrades to their toolset, Chinese Advanced Persistent Threat (APT) groups are still using spear-phishing emails as an attack vector to compromise high-profile targets in Southeast Asian government agencies. The Sharp Panda infection starts with an email containing a Word document “with government-themed lures that leveraged a remote template to download and run a malicious text document, weaponized with the infamous RoyalRoad kit,” Check Point said. If the malicious document is downloaded, it activates a custom DLL downloader and a “second stage-loader” that delivers a backdoor in a victim’s operating system. The researchers explained that the downloader first scans for potentially usable data such as hostnames, OS names and versions, usernames, MAC addresses, and even “information on anti-virus solutions.” If the target is viable, the latter stages commence. Check Point said this initial part of the infection chain has remained the same over the years, however, a DLL different from the earlier ‘VictoryDll’ was observed being injected from the threat actor’s server this year. “Further analysis revealed that this payload is a new version of SoulSearcher loader, which is responsible for downloading, decrypting, and loading in memory other modules of the Soul modular backdoor,” the report explained. Interestingly, Check Point researchers noted that Sharp Panda infections occur consistently between 1 AM to 8 AM UTC, Monday through Friday, with the exception of the Chinese Spring Festival.
Defending Against Sharp Panda Attacks
“Chinese APT teams are among the most active and capable,” Chief Research Analyst at IT-Harvest, Richard Stiennon, told VPNOverview. This sentiment was echoed in the recently released U.S. National Cybersecurity Strategy. In February 2021, Check Point Research said a China-lined hacking group, APT31 — aka Zirconium/Hurricane Panda —, which hijacked and cloned a U.S. National Security Agency (NSA) tool, represents one of the most advanced cybersecurity threats detected in over twenty years. Sharp Panda attacks typically exploit older software vulnerabilities. “The RoyalRoad RTF kit was reported as the tool of choice among Chinese APT groups and is still used despite the exploitation of old patched vulnerabilities,” Check Point said. Since the initial Sharp Panda infection vector is delivered via a targeted phishing email, it is important not to interact with emails from an unknown or suspicious sender address. Stiennon further explained how to defend against Sharp Panda attacks. “In this case, they use known CC servers and an easily blocked Docx file. Organizations should deploy email security solutions that sandbox and detonate all attachments,” he said. “They should block all communications with known command and control servers.” We recommend using a premium antivirus solution with real-time detection technology like Norton 360. Consult our guide to phishing for more information about how to spot and defend against this type of social engineering attack.