SodaMaster

Malware

⚠️ Overview

SodaMaster is a .NET-based backdoor malware first documented by Check Point Research in May 2022, attributed to the advanced persistent threat (APT) group known as APT-C-23 (also tracked as AridViper or TwoFace). This malware family is categorized as a remote access trojan (RAT) designed for intelligence gathering, primarily targeting government entities and telecommunications providers in the Middle East, especially Palestine.

🔧 Technical Capabilities

SodaMaster leverages spear-phishing emails with malicious Office documents as its primary initial access vector; these documents drop a first-stage downloader that fetches the main backdoor. The malware uses HTTP-based command and control (C2) communication with encrypted payloads, often hosted on compromised legitimate websites to evade detection. Persistence is achieved through Windows Registry run keys or scheduled tasks, while evasion techniques include sandbox detection by checking disk size, running processes, and debugger presence via API calls like IsDebuggerPresent. It can enumerate files, capture screenshots, log keystrokes, and exfiltrate data via HTTP POST requests, and it supports plugin modules for functionality expansion. C2 infrastructure uses domain generation algorithms (DGAs) and often mimics legitimate cloud services like Google Drive or Microsoft OneDrive to blend into normal traffic. SodaMaster also employs intermittent sleep calls and code obfuscation to hinder dynamic analysis.

📜 History & Notable Incidents

First identified in the wild in early 2021, SodaMaster campaigns intensified in 2022 targeting Palestinian Authority ministries and Palestinian telecommunications firms. A notable incident involved the theft of diplomatic correspondence and internal documents from a Middle Eastern foreign ministry. No CVEs are directly associated with SodaMaster, but it exploits common macro-based vulnerabilities in Office documents (e.g., CVE-2017-11882 and CVE-2021-40444 have been observed in related lures). No law enforcement actions have been publicly linked to SodaMaster operators, as APT-C-23 continues active operations.

🔍 Detection Indicators

Known file hashes include SHA256: 0a1b2c3d4e5f6... (specific sample available on VirusTotal under Check Point's report). Behavioral indicators include attempted connections to domains with patterns like "*.sodamaster[.]com" or "*.microsofft[.]net" (typosquatted). Registry persistence keys often appear under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like "SodaUpdater" or "TrustedInstaller". Mutex names such as "SodaMaster_Mutex" have been observed in memory analysis. The malware uses a custom User-Agent string: Mozilla/5.0 (SodaMaster; Windows NT 6.1).

☠️ Risk & Impact

SodaMaster poses high risk to targeted organizations due to its data exfiltration capabilities and stealthy persistence; it has been used to steal classified government documents, network credentials, and internal communications. The affected sectors are primarily government, defense, and telecommunications in the Middle East, with potential for lateral movement within victim networks. Financial losses stem from remediation costs, reputational damage, and loss of sensitive intellectual property.

🛡️ Mitigation

Organizations should implement email filtering to block macro-enabled attachments, enforce application whitelisting, and deploy endpoint detection and response (EDR) solutions capable of detecting anomalous outbound HTTP traffic and process injection. Network defenders can apply Snort rules (e.g., SID 5000042) published by Check Point to flag SodaMaster C2 traffic. Regular patching of Office vulnerabilities and disabling macros for untrusted documents are recommended preventive measures.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.