Cyber Espionage campaign ‘Sharp Panda’ on strike against South Asian organizations

Southeast Asian countries are under the attack of a cyberespionage campaign called Sharp Panda, which started in 2022, using a completely different toolset for the operation.

Since then, cyber gurus, Checkpoint has tracked and monitored those tools.

“In late 2022, a campaign with an initial infection vector similar to previous Sharp Panda operations targeted a high-profile government entity in the region.”

Checkpoint: In the sense of descry

According to a CheckPoint report, the campaign started in late 2022 and targets government organizations in Vietnam, Indonesia, and Thailand.

• It uses spear-phishing emails for initial access, carrying malicious documents with government-themed lures. It further deploys the RoyalRoad RTF kit, allowing attackers to exploit older vulnerabilities for further infection.
• Once inside the target network, it downloads a module called SoulSearcher loader—a part of the Soul malware framework—that eventually loads the main module, the Soul backdoor.
• This backdoor connects with the C2 server and waits for further instructions from the attacker about loading additional modules.

“The main Soul module is responsible for communicating with the C&C server and its primary purpose is to receive and load in memory additional modules,” Check Point said.

CheckPointSW: Cyber-espionage is on the rise. Chinese #cybercrime group, dubbed Sharp Panda, is using sophisticated #malware to target governments. Read this article to learn more: https://t.co/GDELLZuEJm pic.twitter.com/mEipgd0GRP

— CheckPointNederland (@CheckPoint_NL) March 7, 2023

They further said: “Interestingly, the backdoor configuration contains a ‘radio silence’-like feature, where the actors can specify specific hours in a week when the backdoor is not allowed to communicate with the C&C server.”

Sharp Panda’s course of action

Sharp Panda is believed to be based in China and primarily targets government agencies, military organizations, defense contractors, and companies in the aerospace and telecommunications sectors. 

They are known to use various tactics, techniques, and procedures (TTPs) to carry out their attacks, including spear-phishing emails, water-holing, and custom malware.

One of Sharp Panda’s most well-known attacks targeted a major US defense contractor in 2016, where the group used a watering hole attack to target the company’s employees. The attackers compromised the website of a popular job search portal and injected it with malicious code that would download malware onto visitors’ computers.

Conclusion

Chinese APT groups are working as a common goal team to eavesdrop the sensitive government information. While the Soul framework remains the same, the tactics and tools used are evolving daily.

Experts think that such espionage campaigns are growing with advanced gambit tools, and adopting a proactive approach to fight them has become essential. The refined architecture of each malware and threat actor has made breathing in the cyber atmosphere difficult.