May 22, 2024 at 11:19AM
Cybersecurity researchers uncovered a new threat group called Unfading Sea Haze, targeting high-level organizations in South China Sea countries. The attackers have ties to Chinese interests, utilize various malware and persistence techniques, and engage in manual data exfiltration, suggesting a focused espionage campaign. The group’s sophisticated arsenal and tactics aim to bypass traditional security measures.
The meeting notes detail the activities of a newly uncovered threat group called Unfading Sea Haze that has been active since 2018. The group has targeted high-level organizations in South China Sea countries, with a particular focus on military and government entities. The intrusion was identified by Bitdefender, indicating a troubling trend of repeated access to compromised systems due to poor credential hygiene and inadequate patching practices. Although the attack signatures do not overlap with those of known hacking groups, there are indications that the threat actor’s goals are aligned with Chinese interests.
Unfading Sea Haze has been observed using various iterations of the Gh0st RAT malware, including the use of a tool called SharpJSHandler and a backdoor dubbed SerialPktdoor. The group leverages scheduled tasks and manipulates local Administrator accounts to establish persistence on victim networks. Notably, the group has also incorporated commercially available Remote Monitoring and Management (RMM) tools into their tactics, which is uncommon among nation-state actors.
The adversary’s sophistication is evidenced by a wide variety of custom tools in their arsenal, including variants of Gh0st RAT and a loader known as Ps2dllLoader, which contains multiple backdoors and evasion techniques. Unfading Sea Haze also uses a custom data exfiltration program and a third backdoor referred to as SharpZulip, suggesting the group is engaged in targeted espionage focused on acquiring sensitive information from compromised systems.
The group’s significant shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures. The notes suggest that the threat actor manually performs data exfiltration, capturing information from messaging applications like Telegram and Viber and packaging it in password-protected archives.
The information outlined in the meeting notes sheds light on the tactics, techniques, and procedures employed by Unfading Sea Haze, emphasizing the need for enhanced cybersecurity measures to counter the group’s advanced capabilities.