A Dive into the Soul: Analyzing Sharp Panda’s Latest Cyber Espionage Campaign 

What is Sharp Panda?

Sharp Panda, also known as APT19, Emissary Panda, or Iron Tiger, is a Chinese Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily targets government organizations, defense contractors, and research institutions in Southeast Asia, Europe, and the United States. 

Sharp Panda Origins 

Sharp Panda has been active since at least 2012, and it has been attributed to the Chinese government or Chinese state-sponsored organizations by various security researchers and government agencies. The group is known to share tools and infrastructure with other Chinese APT groups, such as APT17 (also known as Deputy Dog). This tool sharing suggests that the group is part of a broader network of Chinese state-sponsored cyber espionage activities. 

Targeted Industries 

Sharp Panda primarily targets government organizations, defense contractors, and research institutions in Southeast Asia, Europe, and the United States. The group’s tactics, techniques, and procedures (TTPs) include: 

• Spear-phishing emails 
• Waterhole attacks 
• Supply chain attacks 
• Custom malware  

• And backdoors 

These TTPs suggest that the group is primarily interested in gaining access to sensitive data and intellectual property related to government operations, defense technologies, and innovative research. 

Geo-Political Considerations 

Sharp Panda is believed to be based in China, and it is widely suspected to be a state-sponsored APT group. The group’s activities align with China’s strategic interests in gaining access to sensitive data and intellectual property from foreign governments and organizations. Additionally, the group’s targeting of Southeast Asian countries like Vietnam, Thailand, and Indonesia can be seen as part of China’s broader efforts to extend its economic and political influence in the region. 

Technical Details: The Soul Modular Framework 

Sharp Panda is known for using a range of sophisticated TTPs, including the use of a new version of the Soul modular framework in its attacks. The Soul framework is a custom malware framework that has been used by multiple Chinese APT groups, and is designed to be modular, with different components responsible for different tasks, such as communication with command-and-control servers, data exfiltration, and lateral movement. 

Recently, the group is using an updated version of the Soul Framework to execute their attacks. The attack chain begins with a spear-phishing email containing a lure document that leverages the Royal Road Rich Text Format (RTF) weaponized to drop a downloader by exploiting one of several vulnerabilities in the Microsoft Equation Editor. The downloader then retrieves a loader known as SoulSearcher from a geofenced command-and-control (C&C) server that only responds to requests originating from IP addresses corresponding to the targeted countries. 

The SoulSearcher loader is responsible for downloading, decrypting, and executing the Soul backdoor and its other components, thereby enabling the adversary to harvest a wide range of information. This custom malware is designed with stealth and persistence in mind, the backdoor of which is responsible for communicating with the command-and-control server, executing commands, and exfiltrating data.  

Interestingly, the backdoor configuration contains a “radio silence”-like feature, where the actors can specify specific hours in a week when the backdoor is not allowed to communicate with the C&C server. This feature is likely designed to help the attackers avoid detection by security tools that are looking for anomalous network traffic. 

The use of the Soul backdoor was detailed by Broadcom’s Symantec in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. The implant’s origins, according to research published by Fortinet FortiGuard Labs in February 2022, date as far back as October 2017, with the malware repurposing code from Gh0st RAT and other publicly available tools. 

Key Takeaways 

Sharp Panda is a highly sophisticated and persistent APT group that primarily focuses on cyber espionage and intelligence gathering. The group’s activities align with China’s strategic interests in gaining access to sensitive data and intellectual property from foreign governments and organizations, and its targeting of Southeast Asian countries can be seen as part of China’s broader geopolitical objectives. The group’s use of sophisticated TTPs, including the new version of the Soul modular framework and backdoor, makes it a significant threat to government organizations, defense contractors, and research institutions in Southeast Asia, Europe, and the United States. 

For more information on emerging cyberthreats, keep up with our Intelligence Hub for situational updates from our Cyber Threat Intelligence (CTI) team, or connect with an expert today.