A threat report published by Symantec in October 2021 caught the attention of cybersecurity experts because it tells of an unknown threat actor running an espionage campaign in Southeast Asia using a new arsenal of custom malware. And it is the mention of a DLL payload loaded from the registry that had not yet been discovered and therefore many paid attention to this threat.
The reason why the module was difficult to find became clear after analyzing its loader. The module is stored as a compressed blob with a custom header in the registry. It never writes itself to disk, so it’s unlikely it would show up in datasets like VirusTotal.
SoulSearcher malware is highly advanced and one of its main advantages over traditional implants is its ability to operate in fileless mode. You can store your information in the Windows Registry and then operate from Random Access Memory (RAM). It should be noted that this has a modular structure that follows the same modus operandi. This improves SoulSearcher Malware’s ability to evade some security tools, but you should still be safe from its attack as long as you are using an up-to-date anti-malware service and it is because of this and all threats that exist on the net that it is of the utmost importance to have a good anti-malware.
SoulSearcher Malware code shares some similarities with Gh0st RAT, but it is unclear if the same group of criminals could be behind these two threats. The so-called ‘Soul’ modules used by SoulSearcher Malware have virtually endless possibilities, as long as their creators manage to program them to avoid detection. Needless to say, this makes SoulSearcher Malware an extremely dangerous threat that should not be underestimated.
