{"id":18378,"date":"2022-02-25T21:40:14","date_gmt":"2022-02-26T05:40:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12111\/"},"modified":"2022-02-25T21:40:14","modified_gmt":"2022-02-26T05:40:14","slug":"news-12111","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12111\/","title":{"rendered":"The Hunt for the Lost Soul: Unraveling the Evolution of the SoulSearcher Malware"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Research<\/h2>\n

Affected Platforms:<\/b> Windows
Impacted Users: <\/b>Windows Users
Impact:<\/b> Collects sensitive information and executes additional malicious modules
Severity Level: <\/b>Critical <\/p>\n

A threat report<\/a> published by Symantec in October 2021 recently caught our attention. It discusses an unknown threat actor conducting an espionage campaign in Southeast Asia using a new custom malware arsenal. What piqued our curiosity most was the mention of a DLL payload loaded from the registry that had yet to be discovered.<\/p>\n

The reason the module was difficult to find became apparent after analyzing its loader. The module is stored as a compressed blob with a custom header in the registry. It is never written to disk, rendering it unlikely to appear in datasets like VirusTotal.<\/p>\n

And so, we embarked on a journey to hunt for the lost module. We have now uncovered a sample of the module and a plethora of components and variants dating as far back as 2017. Reverse engineering the samples has allowed us to observe the progression of the development of this malware throughout the years. Over time, custom code was added, components were upgraded, capabilities expanded, the code became neater, and modularity increased.<\/p>\n

This blog will examine the different components of this malware and their progression over time, thereby mapping the evolution of the Soul malware framework.<\/p>\n

Theory of Evolution<\/h2>\n

In the earliest phase, the attackers used a backdoor that incorporated code of the open-source Gh0st RAT and NetBot Attacker tools, albeit with considerable modifications. The backdoor is embedded as a compressed blob in its dropper executable, which writes it to disk and runs it.<\/p>\n

Within a year, the backdoor\u2019s code was refactored and had custom code added to it, completing its transformation into what we refer to as a Soul module. Its loader, which we dubbed SoulSearcher, changed as well. Instead of dropping the payload to disk, the compressed module is stored in the registry and is loaded in-memory.<\/p>\n

Since the beginning of 2020, we have detected increasingly intricate SoulSearcher variants, some of which support loading multiple modules from the registry. They have significantly transformed over time, and their configuration artifacts shed light on possible Soul module capabilities.<\/p>\n

Aside from the backdoors, additional tools were used, such as keyloggers and a custom-compiled 7zr tool (reduced standalone 7-zip).<\/p>\n

A complete timeline of the various components is depicted below, beginning in 2017 with the first keylogger and backdoor and ending with the recent SoulSearcher variants found in November 2021.<\/p>\n<\/p><\/div>\n