A CYBERTHREAT intelligence company revealed that there’s an expansion of an ongoing cyberespionage campaign that targets Southeast Asian governments. Israel-based CheckPoint Research (CPR) said on March 10 that these Asean governments include Vietnam, THAILAND, AND INDONESIA, AND EVEN IDENTIfiED THE origin of the cyberthreat actor.

In June 2021, CPR pointed to a group called SharpPanda as an “advanced persistent threat” (APT). APT is a malicious actor who possesses extraordinary skill and resources — “enabling them to infiltrate and exfiltrate an organization’s network.”

The research group also believed that SharpPanda originated from China, which uses spear-phishing and Microsoft vulnerabilities to gain access to target networks. CPR continued to track the cybercriminal’s activity since then, learning of a cyberattack on a high-profile government entity in late 2022, stealing data and spying on government entities.

“We’re seeing a long-running Chinese cyberespionage operation targeting Southeast Asian government entities, including Vietnam, Thailand and Indonesia,” said Eli Smadja, research group manager at Check Point Software.

“There’s an interesting connection between two attack tools set for the first time. Based on the technical findings presented in this research, we believe this campaign is staged by advanced Chinesebacked threat actors, whose other tools, capabilities and position within the broader network of espionage activities are yet to be explored,” added Smadja.

The payload in this specific attack leverages what’s known as the Soul modular framework, a previously unattributed modular malware framework. While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities.

The attack begins as a phishing attack with a malicious document containing a remote template with an exploit. The exploit runs a builtin downloader, which helps run the Soul backdoor.

Although the Soul malware framework was previously seen by Semantic in an espionage campaign targeting the defense, health care and ICT sectors in Southeast Asia, it was never previously attributed or connected to any known cluster of malicious activity. Currently, it is uncertain whether the Soul framework is solely utilized by a single threat actor.

The connection between the tools of Sharp Panda and the previously mentioned attacks in South East Asia serves as yet another example of key characteristics inherent to China-based APT operations, such as sharing of custom tooling between the groups or task specialization of threat actors, where one entity is responsible for the initial infection and another one is for actual intelligence gathering.

While Sharp Panda’s previous campaigns delivered a custom and unique backdoor called VictoryDll, the payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework,” said Smadja.

“Usually, the attack starts as a phishing attack with a malicious document containing a remote template with a Royalroad exploit. The exploit runs a built-in downloader and then downloads the second stage of Soul framework, which runs the Soul backdoor. Although the samples of this framework from 2017-2021 were analyzed before, this is the most extensive infection chain of the Soul malware family to be documented, including the full technical analysis of the latest version, compiled in late 2022,” added Smadja.