Cybersecurity researchers have disclosed particulars of a beforehand undocumented menace group referred to as Unfading Sea Haze that is believed to have been energetic since 2018.
The intrusion singled out high-level organizations in South China Sea international locations, significantly navy and authorities targets, Bitdefender stated in a report shared with The Hacker Information.
“The investigation revealed a troubling trend beyond the historical context,” Martin Zugec, technical options director at Bitdefender, stated, including it recognized a complete of eight victims so far.
“Notably, the attackers repeatedly regained access to compromised systems. This exploitation highlights a critical vulnerability: poor credential hygiene and inadequate patching practices on exposed devices and web services.”
There are some indications that the menace actor behind the assaults is working with objectives which might be aligned with Chinese language pursuits even if the assault signatures don’t overlap with these of any recognized hacking crew.
This consists of the victimology footprint, with international locations just like the Philippines and different organizations within the South Pacific beforehand focused by the China-linked Mustang Panda actor.
Additionally used within the assaults are numerous iterations of the Gh0st RAT malware, a commodity trojan recognized for use by Chinese language-speaking menace actors.
“One specific technique employed by Unfading Sea Haze – running JScript code through a tool called SharpJSHandler – resembled a feature found in the ‘FunnySwitch‘ backdoor, which has been linked to APT41,” Bitdefender stated. “Both involve loading .NET assemblies and executing JScript code. However, this was an isolated similarity.”
The precise preliminary entry pathway used to infiltrate the targets is presently recognized, though, in an attention-grabbing twist, Unfading Sea Haze has been noticed regaining entry to the identical entities via spear-phishing emails containing booby-trapped archives.
These archive information come fitted with Home windows shortcut (LNK) information that, when launched, set off the an infection course of by executing a command that is designed to retrieve the next-stage payload from a distant server. This payload is a backdoor dubbed SerialPktdoor that is engineered to run PowerShell scripts, enumerate administrators, obtain/add information, and delete information.
What’s extra, the command leverages the Microsoft Construct Engine (MSBuild) to filelessly execute a file situated in a distant location, thus leaving no traces on the sufferer host and reducing the probabilities of detection.
The assault chains are characterised by way of scheduled duties as a solution to set up persistence, with the duty names impersonating authentic Home windows information which might be employed to run a innocent executable that is inclined to DLL side-loading with a purpose to load a malicious DLL.
“Beyond using scheduled tasks, the attacker employed another persistence technique: manipulating local Administrator accounts,” the Romanian cybersecurity agency stated. “This involved attempts to enable the disabled local Administrator account, followed by resetting its password.”
At the very least since September 2022, Unfading Sea Haze is understood to include commercially accessible Distant Monitoring and Administration (RMM) instruments resembling ITarian RMM to achieve a foothold on sufferer networks, a tactic not generally noticed amongst nation-state actors barring the Iranian MuddyWater group.
The adversary’s sophistication is evidenced by all kinds of customized instruments in its arsenal, which includes variants of Gh0st RAT resembling SilentGh0st and its evolutionary successor InsidiousGh0st (which is available in C++, C#, and Go variations), TranslucentGh0st, FluffyGh0st, and EtherealGh0st, the latter three of that are modular and undertake a plugin-based method.
Additionally put to make use of is a loader often known as Ps2dllLoader that may bypass the Antimalware Scan Interface (AMSI) and acts as a conduit to ship SharpJSHandler, which operates by listening for HTTP requests and executes the encoded JavaScript code utilizing Microsoft.JScript library.
Bitdefender stated it uncovered two extra flavors of SharpJSHandler which might be able to retrieving and working a payload from cloud storage providers like Dropbox and Microsoft OneDrive, and exporting the outcomes again to the identical location.
Ps2dllLoader additionally accommodates one other backdoor codenamed Stubbedoor that is chargeable for launching an encrypted .NET meeting acquired from a command-and-control (C2) server.
Different artifacts deployed over the course of the assaults embody a keylogger referred to as xkeylog, an internet browser knowledge stealer, a instrument to watch the presence of transportable units, and a customized knowledge exfiltration program named DustyExfilTool that was put to make use of between March 2018 and January 2022.
That is not all. Current among the many advanced arsenal of malicious brokers and instruments utilized by Unfading Sea Haze is a 3rd backdoor known as SharpZulip that makes use of the Zulip messaging service API to fetch instructions for execution from a stream referred to as “NDFUIBNFWDNSA.” In Zulip, streams (now referred to as channels) are analogous to channels in Discord and Slack.
There’s proof to counsel that the info exfiltration is carried out manually by the menace actor with a purpose to seize info of curiosity, together with knowledge from messaging purposes like Telegram and Viber, and bundle it within the type of a password-protected archive.
“This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” Zugec identified.
“Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques. The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures.”
