Unfading Sea Haze: New Espionage Threat Targets Military and Government Entities in the South China Sea

Unfading Sea Haze: New Espionage Threat Targets Military and Government Entities in the South China Sea

Bucharest, Romania: Bitdefender researchers have uncovered a previously unknown threat actor, dubbed “Unfading Sea Haze,” that has been covertly targeting military and government entities in the South China Sea region since 2018. This group has managed to evade detection until now, with operations closely aligning with Chinese geopolitical interests, focusing primarily on intelligence collection and espionage.

Operational Overlaps with APT41

Unfading Sea Haze exhibits notable overlaps in operational tactics, techniques, and procedures (TTPs) with other known Chinese state-sponsored threat actors, particularly APT41. This suggests a sophisticated level of coordination and resource sharing among these groups.

Abusing MSBuild for Fileless Malware

The group’s attack campaigns typically begin with spear-phishing emails containing malicious ZIP archives. These archives house LNK files disguised as legitimate documents. Recent lures, as of March 2024, have included U.S. political themes, with the ZIP files deceptively named to resemble Windows Defender installers or updaters.

Once an LNK file is opened, it executes a PowerShell command that checks for the presence of an ESET executable (ekrn.exe). If the executable is not found, the command launches fileless malware directly into memory using Microsoft’s MSBuild command-line compiler.

“In this attack, the criminals start a new MSBuild process with a twist: they specify a working directory located on a remote SMB server,” explains Bitdefender. “By setting the working directory to a remote location, MSBuild will search for a project file on that remote server. If found, MSBuild will execute the code it contains entirely in memory, leaving no traces on the victim’s machine.”

Persistence and Control

The code executed by MSBuild installs a backdoor program named ‘SerialPktdoor,’ providing the attackers with remote control over the compromised system. The group also employs scheduled tasks to execute benign files that side-load malicious DLLs, along with manipulating local administrator accounts for persistence. This includes resetting the password for the local administrator account (typically disabled by default in Windows), enabling it, and then hiding it from the login screen via Registry modifications.

Advanced Arsenal and Techniques

Unfading Sea Haze utilizes an array of custom tools and malware to conduct its operations. These include:

  • xkeylog: A custom keylogger capturing keystrokes.
  • Info-stealers: Targeting data stored in browsers like Chrome, Firefox, and Edge.
  • PowerShell scripts: Extracting information from browser databases.
  • SilentGh0st, InsidiousGh0st, TranslucentGh0st, EtherealGh0st, and FluffyGh0st: Variants of Gh0stRAT, evolving over time with features like dynamic plugin loading and lighter footprints for evasive operations.

Earlier attacks also saw the use of tools like Ps2dllLoader (for loading.NET or PowerShell code into memory) and SharpJSHandler (a web shell for executing encoded JavaScript code).

A particularly intriguing tool checks for newly plugged USB and Windows Portable Devices (WPD) every ten seconds, sending device details and specific files to the attackers.

Data Exfiltration

To exfiltrate data, Unfading Sea Haze uses a custom tool named ‘DustyExfilTool’ for secure data extraction via TLS over TCP. More recent attacks have shifted to using curl and the FTP protocol, with dynamically generated credentials that change frequently.

Stealth, Persistence, and Adaptability

Unfading Sea Haze showcases a high level of stealth, persistence, and adaptability, leveraging fileless attacks, advanced evasion methods, and modular malware design. To combat these threats, Bitdefender recommends that organizations adopt a comprehensive security strategy, including:

  • Patch Management: Ensuring all systems are up-to-date with the latest security patches.
  • MFA Adoption: Implementing multi-factor authentication to enhance security.
  • Network Segmentation: Isolating critical systems to limit lateral movement.
  • Traffic Monitoring: Vigilantly monitor network traffic for anomalies.
  • Advanced Detection and Response Products: Deploying state-of-the-art tools to detect and respond to threats promptly.

As Unfading Sea Haze continues to pose a significant threat to entities in the South China Sea region, maintaining robust cybersecurity measures is crucial to defending against their sophisticated espionage activities.

Share This


Wordpress (0)
Disqus ( )