SodaMaster

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SodaMaster, also known as DelfsCake, is a new fileless malware discovered to be another payload of the Ecipekac loader. This sophisticated multi-layer loader module is used to deliver various payloads including SodaMaster, P8RAT (also known as GreetCake and HEAVYPOT), and FYAnti (also known as DILLJUICE stage2) which loads QuasarRAT. SodaMaster employs an original data structure and RSA for its initial communication, subsequently utilizing RC4 for encryption. This malicious software was observed being loaded by HUI Loader alongside other Remote Access Trojans (RATs) such as PlugX, Cobalt Strike, and QuasarRAT. Once inside a system, SodaMaster collects and sends system information such as user_name, host_name, the PID of the malware module, OS_version, and more. The malware's activities are hidden due to its fileless nature, making it challenging to detect and remove. The Chinese threat actor APT 10 exploited a vulnerability in Microsoft Exchange to infiltrate victims' networks, where they deployed a custom loader and the SodaMaster backdoor. This indicates that SodaMaster has been actively used in targeted cyber-espionage operations. With its advanced features and stealthy approach, SodaMaster presents a significant cybersecurity threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Delfscake
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Loader
Backdoor
Malware
Payload
Encryption
Rat
Apt
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
P8RATUnspecified
1
P8RAT, also known as GreetCake and HEAVYPOT, is a highly sophisticated fileless malware introduced in a campaign by the threat actor Ecipekac. It is part of a multi-layer loader module designed to deliver various payloads including SodaMaster (also referred to as DelfsCake, dfls, and DARKTOWN), P8RA
FYAntiUnspecified
1
Fyanti is a highly sophisticated multi-layer malware loader module, used to deliver various malicious payloads such as SodaMaster (also known as DelfsCake, dfls, and DARKTOWN), P8RAT (also known as GreetCake and HEAVYPOT), and FYAnti (also known as DILLJUICE stage2). These payloads eventually load Q
HeavypotUnspecified
1
None
Dilljuice Stage2Unspecified
1
None
GreetcakeUnspecified
1
None
EcipekacUnspecified
1
Ecipekac is a sophisticated multi-layered malware, first observed by cybersecurity experts in an advanced cyber campaign. This malicious software, also known as DESLoader, SigLoader, and HEAVYHAND, employs a unique and complex loading schema that involves the use of four files to load and decrypt fo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SodaMaster Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of organizations in Asia, Europe, and North America
MITRE
a year ago
APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader