Cybersecurity researchers have revealed details of a new threat group called Unfading Sea Haze, which has been active since 2018. The intrusion targeted high-level organizations in South China Sea countries, particularly military and government entities, as per a report from Bitdefender shared with The Hacker News.
Martin Zugec, technical solutions director at Bitdefender, noted that the investigation identified eight victims to date and highlighted a troubling trend of attackers regaining access to compromised systems due to poor credential hygiene and inadequate patching practices.
While the attack signatures do not match those of known hacking groups, evidence suggests that the threat actor may have objectives aligned with Chinese interests. The attack techniques include the use of Gh0st RAT malware and a specific technique involving JScript code executed through SharpJSHandler.
The attackers have been observed regaining access through spear-phishing emails containing booby-trapped archives. These archives trigger the infection process by executing a command designed to retrieve and run a backdoor named SerialPktdoor, allowing for various malicious activities.
The attacks utilize the Microsoft Build Engine for fileless execution and employ scheduled tasks for persistence. In an attempt to establish persistence, the attackers manipulate local Administrator accounts and leverage commercially available Remote Monitoring and Management tools like ITarian RMM.
The adversary’s sophisticated arsenal includes custom tools like SilentGh0st, InsidiousGh0st, TranslucentGh0st, FluffyGh0st, and EtherealGh0st variants of Gh0st RAT, as well as Ps2dllLoader for bypassing AMSI and launching SharpJSHandler. The attacks also involve keyloggers, data stealers, and data exfiltration tools.
Another backdoor named SharpZulip is used to fetch commands from the Zulip messaging service API for execution. Data exfiltration is performed manually, indicating a targeted espionage campaign focused on acquiring sensitive information.
The custom malware arsenal and evasion techniques used by Unfading Sea Haze showcase a focus on flexibility and bypassing security measures. The observed shift towards modularity and in-memory execution highlights their efforts to evade detection.
