A newly identified cyber threat group, known as "Unfading Sea Haze," has been secretly infiltrating military and government networks in the South China Sea region since 2018, according to a recent report by Bitdefender researchers. The group's activities align with Chinese geopolitical interests, focusing on gathering intelligence and conducting espionage. Unfading Sea Haze shares many tactics, techniques, and procedures (TTPs) with other Chinese state-sponsored hacking groups, particularly APT41.
The group's attacks typically begin with spear-phishing emails containing malicious ZIP files disguised as legitimate documents. These ZIP files, often named to appear as Windows Defender installers, contain LNK files with obfuscated PowerShell commands. If an ESET security executable is detected on the target system, the attack is halted. Otherwise, the PowerShell script uses Microsoft's msbuild.exe to launch fileless malware directly into memory, leaving no traces on the victim's machine.
The code executed by MSBuild installs a backdoor called 'SerialPktdoor,' which gives the attackers remote control over the compromised system. Additionally, the hackers use scheduled tasks and manipulate local administrator accounts to maintain their presence on the network. By resetting and enabling the typically disabled local admin account, they create a hidden profile for continuous access.
Unfading Sea Haze employs a variety of custom tools and malware. Among these are 'xkeylog,' a keylogger for capturing keystrokes, info-stealers targeting browser data, and PowerShell scripts for extracting information. Since 2023, the group has adopted stealthier methods, such as abusing msbuild.exe to load C# payloads from remote SMB shares and deploying different variants of the Gh0stRAT malware.
Bitdefender has identified several Gh0stRAT variants used by the hackers:
1. SilentGh0st: A variant with extensive functionality through numerous commands and modules.
2. InsidiousGh0st: A Go-based evolution with enhanced capabilities, including TCP proxy, SOCKS5, and improved PowerShell integration.
3. TranslucentGh0st, EtherealGh0st, and FluffyGh0st: Newer variants designed for evasive operations with dynamic plugin loading and a lighter footprint.
Earlier attacks utilised tools like Ps2dllLoader for loading .NET or PowerShell code into memory and SharpJSHandler, a web shell for executing encoded JavaScript via HTTP requests. The group also created a tool to monitor newly connected USB and Windows Portable Devices every ten seconds, reporting device details and specific files to the attackers.
For data exfiltration, Unfading Sea Haze initially used a custom tool named 'DustyExfilTool,' which securely extracted data via TLS over TCP. In more recent attacks, the group has shifted to using a curl utility and the FTP protocol, with dynamically generated credentials that are frequently changed to enhance security.
The sophisticated techniques employed by Unfading Sea Haze highlight the need for robust cybersecurity defences. Organisations should implement a comprehensive security strategy that includes regular patch management, multi-factor authentication (MFA), network segmentation, traffic monitoring, and advanced detection and response tools.
By adopting these measures, organisations can better defend against the persistent and evolving threats posed by groups like Unfading Sea Haze. The group's ability to remain undetected for six years sets a strong precedent for the critical importance of vigilance and continuous improvement in cybersecurity practices.
