A recently discovered cyber threat actor, dubbed 'Unfading Sea Haze', has been targeting organizations in the South China Sea region since 2018. The threat actor group remained undetected for over five years, despite its attacks on several high-profile military and government entities. Researchers observed that its operations align with Chinese geopolitical interests in the region.

Unfading Sea Nations Likely Affiliated with Chinese Government

Bitdefender researchers discovered that the group's TTPs (tactics, techniques, and procedures) and toolset overlaps with that of other Chinese state-sponsored threat actors such as APT41 (BARIUM). Unfading Sea Haze employs a multi-stage attack chain, often beginning with spear-phishing emails carrying malicious LNK files disguised within seemingly innocuous documents. Upon clicking these LNK files, a lengthy obfuscated PowerShell command checks for the presence of an ESET executable (ekrn.exe). If found, the attack halts; otherwise, the PowerShell script directly compiles malware into Windows memory using Microsoft's legitimate msbuild.exe command-line compiler. The attackers use scheduled tasks to side-load malicious DLLs and modify the disabled default administrator account to maintain persistence. They reset the password for the local administrator account, enable it, and hide it from the login screen via Registry modifications. This step provides the threat actors with a hidden administrator account for further attacks. Once access is established, Unfading Sea Haze uses a custom keylogger named 'xkeylog' to capture keystrokes, an browser-data stealer to target data stored in Chrome, Firefox, or Edge browsers, along with various PowerShell scripts to extract information from browser databases. Unfading Sea Haze's campaign employs a wide arsenal of custom-developed malware and publicly available tools. The group's initial campaigns involved the use of tools such as the xkeylog keylogger for credential theft and SharpJSHandler, a web shell alternative for remote code execution. The group later shifted towards the use of stealthier options, such as iterations of the Gh0st RAT malware family including SilentGh0st, TranslucentGh0st, and newer, more modular variants like FluffyGh0st, InsidiousGh0st, and EtherealGh0st. This recent shift demonstrates an ongoing effort to adapt their toolkit for maximum effectiveness and evasion. Unfading Sea Haze also uses commercial Remote Monitoring and Management (RMM) tools, such as Itarian RMM, in the attack chain to establish a foothold on compromised networks.

Unfading Haze Shares Similarities with APT41

Adding to the concern, the investigation revealed Unfading Sea Haze's repeated success in regaining access to previously compromised systems. This persistence points to a critical vulnerability often exploited by malicious actors: poor credential hygiene and inadequate patching practices within targeted organizations. Researchers suggest the use of various Gh0st RAT variants by the Unfading Sea Haze group could imply a close connection to the Chinese threat actor ecosystem, where the sharing of closed-source RATs and tools is common among state-sponsored actors. The campaign's integration of the SharpJSHandler module to execute script shares similarities with the invoke command found in the funnyswitch backdoor, which has been frequently employed by APT41 in its campaigns. Both SharpJSHandler and funnyswitch load .NET assemblies and execute JScript code. However, these similarities are limited, as funnyswitch contains additional features not present in SharpJSHandler. No further overlaps with APT41's tooling were discovered during the investigation.

Researchers Share Recommendations

Researchers note that the Unfading Sea Haze group has demonstrated a high level of sophistication in their attacks, with the usage of a custom malware arsenal for additional flexibility and evasiveness. The shift towards modularity, dynamic elements, and in-memory execution indicates the group's continuous efforts to circumvent traditional security measures. As attackers persistently adapt their tactics, researchers have recommended a comprehensive and layered security approach for likely victims. This includes prioritizing vulnerability management, implementation of strong authentication techniques, network segmentation, traffic monitoring and effective logging. Researchers have also shared IOC (Indicator of Compromise) information on the campaign such as associated IP addresses, domains used, MD5 file hashes and storage file paths. Additionally the researchers have linked to a full report featuring an in-depth look at the Gh0st RAT family and other malware samples. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.