Cybersecurity analysts have divulged particulars regarding an erstwhile uncharted threat entity dubbed Unfading Sea Haze, believed to have been operational since 2018.
This intrusion has primarily targeted high-level institutions within South China Sea nations, notably military and governmental entities, as per a report by Bitdefender shared with The Hacker News.
“The investigation has unveiled a concerning pattern extending beyond historical trends,” remarked Martin Zugec, technical solutions director at Bitdefender, highlighting that a total of eight victims have been identified to date.
“Notably, the perpetrators have repeatedly regained access to compromised systems. This exploitation underscores a critical vulnerability: inadequate credential hygiene and insufficient patching protocols on exposed devices and web services.”
There are indications suggesting that the threat actor behind these attacks operates with objectives aligning with Chinese interests, despite the attack signatures not overlapping with any known hacking groups.
This includes the victimology footprint, with nations such as the Philippines and other entities in the South Pacific having been previously targeted by the China-linked Mustang Panda group.
The attacks also employed various iterations of the Gh0st RAT malware, a common trojan known to be utilized by Chinese-speaking threat actors.
“One specific technique employed by Unfading Sea Haze – executing JScript code via a tool named SharpJSHandler – mirrored a feature found in the ‘FunnySwitch’ backdoor, which has ties to APT41,” Bitdefender noted. “Both involve loading .NET assemblies and executing JScript code. However, this was an isolated resemblance.”
The precise initial access method used to infiltrate the targets remains known. Intriguingly, Unfading Sea Haze has been observed regaining access to the same entities through spear-phishing emails containing booby-trapped archives.
These archive files are equipped with Windows shortcut (LNK) files that, when executed, initiate the infection process by executing a command designed to retrieve the next-stage payload from a remote server. This payload is a backdoor named SerialPktdoor, engineered to run PowerShell scripts, enumerate directories, download/upload files, and delete files.
Moreover, the command leverages the Microsoft Build Engine (MSBuild) to execute a file from a remote location without leaving traces on the victim host, thereby reducing the likelihood of detection.
The attack chains are characterized by the use of scheduled tasks to establish persistence, with the task names impersonating legitimate Windows files to run a harmless executable susceptible to DLL side-loading to load a malicious DLL.
“Beyond utilizing scheduled tasks, the attacker employed another persistence technique: manipulating local Administrator accounts,” the Romanian cybersecurity firm stated. “This involved attempts to enable the disabled local Administrator account, followed by resetting its password.”
Since at least September 2022, Unfading Sea Haze is known to have incorporated commercially available Remote Monitoring and Management (RMM) tools such as ITarian RMM to gain a foothold on victim networks, a tactic not commonly seen among nation-state actors, except for the Iranian MuddyWater group.
The adversary’s sophistication is demonstrated by a wide variety of custom tools in its arsenal, including variants of Gh0st RAT like SilentGh0st and its evolutionary successor InsidiousGh0st (available in C++, C#, and Go versions), TranslucentGh0st, FluffyGh0st, and EtherealGh0st, the latter three being modular and adopting a plugin-based approach.
A loader known as Ps2dllLoader is also utilized, capable of bypassing the Antimalware Scan Interface (AMSI) and acting as a conduit to deliver SharpJSHandler, which operates by listening for HTTP requests and executing encoded JavaScript code using the Microsoft.JScript library.
Bitdefender identified two additional variants of SharpJSHandler capable of retrieving and executing a payload from cloud storage services like Dropbox and Microsoft OneDrive, and exporting the results back to the same location.
Ps2dllLoader also contains another backdoor named Stubbedoor responsible for launching an encrypted .NET assembly received from a command-and-control (C2) server.
Other artifacts deployed during these attacks include a keylogger called xkeylog, a web browser data stealer, a tool to monitor the presence of portable devices, and a custom data exfiltration program named DustyExfilTool, used between March 2018 and January 2022.
Among the sophisticated arsenal of malicious tools and agents employed by Unfading Sea Haze is a third backdoor known as SharpZulip, which utilizes the Zulip messaging service API to fetch commands for execution from a stream called “NDFUIBNFWDNSA.” In Zulip, streams (now called channels) are akin to channels in Discord and Slack.
Evidence suggests that data exfiltration is performed manually by the threat actor to capture valuable information, including data from messaging applications like Telegram and Viber, packaging it into a password-protected archive.
“This amalgamation of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” Zugec noted.
“Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, demonstrates a focus on flexibility and evasion techniques. The observed shift towards modularity, dynamic elements, and in-memory execution underscores their efforts to circumvent traditional security measures.”