Malware, dubbed ‘SoreFang’ by the NCSC, is a first stage downloader that uses HTTP to exfiltrate victim information and download second stage malware.
The sample analysed by the NCSC contains the same infrastructure as a WellMess sample (103.216.221[.]19).
It is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including ‘DarkHotel’, have also targeted SangFor devices. Therefore, not all SangFor exploitation activity relates to targeting by APT29.
Once delivered, SoreFang will attempt to replace the firmware on all SangFor VPN servers on the network; as VPN clients connect to these servers SoreFang is installed in place of the original firmware. It then checks for the presence of a number of files on affected clients, collecting system and file enumeration information if they are not present. This information is then encrypted and sent to a command and control server where it is used to determine the type of payload to be delivered.
For a downloadable copy of IOCs, see MAR-10296782-1.v1.stix