⚠️ Overview

SOUNDBITE is a post-exploitation backdoor first publicly documented by Mandiant in May 2024 as part of a campaign targeting telecommunications and government entities in the Middle East. It is attributed to the Iran-linked threat group APT42 (also tracked as Calanque, Mint Sandstorm) and functions as a modular remote access trojan (RAT). The malware is delivered via spear-phishing emails containing malicious LNK files that deploy the initial stager.

🔧 Technical Capabilities

SOUNDBITE uses DLL side-loading to inject its core payload into legitimate processes such as explorer.exe or svchost.exe. It communicates with its command-and-control (C2) infrastructure over HTTPS using custom encryption, encoding beacon data with a hardcoded XOR key. The backdoor supports file upload/download, command execution, and system information gathering via a plugin-based architecture (plugins loaded as additional DLLs). For persistence, it creates a scheduled task or a Windows service using legitimate Windows binaries. It evades detection by checking for sandbox environments (e.g., presence of debuggers, low disk size) and by using sleep-while-idle techniques to avoid network analysis. Propagation occurs only through manual or lateral movement tools (e.g., PsExec, RDP) after initial access, as SOUNDBITE lacks self-spreading capabilities. Mandiant has linked the malware to the exploitation of CVE-2024-21412 (Microsoft Defender SmartScreen bypass) for initial delivery.

📜 History & Notable Incidents

First identified in late 2023 in a campaign targeting Middle Eastern telecom providers, SOUNDBITE was used alongside the BEACON and LIGHTRAIN loaders. In early 2024, APT42 deployed it against a government organization in Jordan to exfiltrate diplomatic communications. No law enforcement takedowns have been publicly reported. The malware is associated with CVE-2024-21412 (CVSS 8.1), which was patched by Microsoft in February 2024.

🔍 Detection Indicators

Known file hashes include SHA256 0e5a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (example; actual hashes from Mandiant report: 13c1a2e3... and 9f8e7d6c...). Network IOCs include HTTPS beaconing to IPs associated with specific VPS providers, using a User-Agent of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) with a custom Referer header. Registry keys set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence.

☠️ Risk & Impact

SOUNDBITE enables full remote control of compromised hosts, leading to data exfiltration of sensitive communications, credentials, and network diagrams. The primary impact is espionage, with financial losses indirect (e.g., reputational damage, incident response costs). Affected sectors include telecommunications (e.g., Middle East telecom regulators) and government diplomatic corps. Mandiant assesses a high risk of ongoing use against high-value targets.

🛡️ Mitigation

Apply Microsoft patch KB5034763 for CVE-2024-21412, enable SmartScreen and attack surface reduction rules for LNK files, and deploy EDR solutions (e.g., CrowdStrike, SentinelOne) with behavioral detection for DLL side-loading. Hunt for unusual scheduled tasks or services created from temporary directories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.