Cybersecurity researchers at Check Point have discovered a new variant of the “Soul” malware framework that features a “Radio Silence” mode that assists the malware and its operators in evading detection. Previously, the Soul malware has been seen in numerous campaigns from Chinese APTs targeting critical Southeast Asian organizations. This new variant has been attributed to the Chinese threat actor tracked as “Sharp Panda” due to the use of the RoyalRoad RTF kit, C2 server addresses, and the TTPs displayed in this new campaign. The group was seen using this new variant to target government entities in Vietnam, Thailand, and Indonesia.
This new variant is typically delivered through a spear-phishing email where a malicious DOCX file is seen dropping the RoyalRoad RTF kit. This kit goes on to attempt exploits, deploy a DLL downloader, and create a scheduled task. The DLL downloader then downloads and executes a second DLL, the SoulSearcher Loader. The SoulSearcher Loader is responsible for downloading the Soul malware framework, which is a modular backdoor consisting of numerous DLL files.
The new “Radio Silence” mode in this variant of the framework allows the threat actors to specify specific hours of the week that the malware should not communicate with the C2 server. Per Check Point, “This is an advanced OpSec feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected.” This new variant also includes a custom C2 communication protocol that uses various HTTP request methods. Commands that can be received concern the loading and enumeration of additional modules, collection and exfiltration of enumeration data, and restarting the C2, among others.
While many of the capabilities of this malware framework are rather typical, this “Radio Silence” mode is somewhat novel and is not seen displayed by many malware implants. Many times, malware in an environment can be identified through abnormal communications, such as a large number of connections from a host over the weekend that is typically dormant. With this feature, however, the operators can pick and choose when they want their communications to be sent, allowing them to better blend in with typical traffic. This new malware variant demonstrates a need for a defense-in-depth strategy, which is needed to detect this malware at a different point of its infection chain.