Cybersecurity researchers have disclosed details of a previously undocumented threat group called Unfading Sea Haze that’s believed to have been active since 2018.
The intrusion singled out high-level organizations in South China Sea countries, particularly military and government targets, Bitdefender said in a report shared with The Hacker News.
“The investigation revealed a troubling trend beyond the historical context,” Martin Zugec, technical solutions director at Bitdefender, said, adding it identified a total of eight victims to date.
“Notably, the attackers repeatedly regained access to compromised systems. This exploitation highlights a critical vulnerability: poor credential hygiene and inadequate patching practices on exposed devices and web services.”
There are some indications that the threat actor behind the attacks is operating with goals that are aligned with Chinese interests despite the fact that the attack signatures do not overlap with those of any known hacking crew.
This includes the victimology footprint, with countries like the Philippines and other organizations in the South Pacific previously targeted by the China-linked Mustang Panda actor.
Also used in the attacks are various iterations of the Gh0st RAT malware, a commodity trojan known to be used by Chinese-speaking threat actors.
“One specific technique employed by Unfading Sea Haze – running JScript code through a tool called SharpJSHandler – resembled a feature found in the ‘FunnySwitch‘ backdoor, which has been linked to APT41,” Bitdefender said. “Both involve loading .NET assemblies and executing JScript code. However, this was an isolated similarity.”
The exact initial access pathway used to infiltrate the targets is currently known, although, in an interesting twist, Unfading Sea Haze has been observed regaining access to the same entities through spear-phishing emails containing booby-trapped archives.
These archive files come fitted with Windows shortcut (LNK) files that, when launched, set off the infection process by executing a command that’s designed to retrieve the next-stage payload from a remote server. This payload is a backdoor dubbed SerialPktdoor that’s engineered to run PowerShell scripts, enumerate directors, download/upload files, and delete files.
What’s more, the command leverages the Microsoft Build Engine (MSBuild) to filelessly execute a file located in a remote location, thus leaving no traces on the victim host and lowering the chances of detection.
The attack chains are characterized by the use of scheduled tasks as a way to establish persistence, with the task names impersonating legitimate Windows files that are employed to run a harmless executable that’s susceptible to DLL side-loading in order to load a malicious DLL.
“Beyond using scheduled tasks, the attacker employed another persistence technique: manipulating local Administrator accounts,” the Romanian cybersecurity firm said. “This involved attempts to enable the disabled local Administrator account, followed by resetting its password.”
At least since September 2022, Unfading Sea Haze is known to incorporate commercially available Remote Monitoring and Management (RMM) tools such as ITarian RMM to gain a foothold on victim networks, a tactic not commonly observed among nation-state actors barring the Iranian MuddyWater group.
The adversary’s sophistication is evidenced by a wide variety of custom tools in its arsenal, which comprises variants of Gh0st RAT such as SilentGh0st and its evolutionary successor InsidiousGh0st (which comes in C++, C#, and Go versions), TranslucentGh0st, FluffyGh0st, and EtherealGh0st, the latter three of which are modular and adopt a plugin-based approach.
Also put to use is a loader known as Ps2dllLoader that can bypass the Antimalware Scan Interface (AMSI) and acts as a conduit to deliver SharpJSHandler, which operates by listening for HTTP requests and executes the encoded JavaScript code using Microsoft.JScript library.
Bitdefender said it uncovered two more flavors of SharpJSHandler that are capable of retrieving and running a payload from cloud storage services like Dropbox and Microsoft OneDrive, and exporting the results back to the same location.
Ps2dllLoader also contains another backdoor codenamed Stubbedoor that’s responsible for launching an encrypted .NET assembly received from a command-and-control (C2) server.
Other artifacts deployed over the course of the attacks encompass a keylogger called xkeylog, a web browser data stealer, a tool to monitor the presence of portable devices, and a custom data exfiltration program named DustyExfilTool that was put to use between March 2018 and January 2022.
That’s not all. Present among the complex arsenal of malicious agents and tools used by Unfading Sea Haze is a third backdoor referred to as SharpZulip that utilizes the Zulip messaging service API to fetch commands for execution from a stream called “NDFUIBNFWDNSA.” In Zulip, streams (now called channels) are analogous to channels in Discord and Slack.
There is evidence to suggest that the data exfiltration is performed manually by the threat actor in order to capture information of interest, including data from messaging applications like Telegram and Viber, and package it in the form of a password-protected archive.
“This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” Zugec pointed out.
“Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques. The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures.”