New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea

The investigation, which involved analyzing multiple victims, primarily military and government targets, revealed a stealthy operation involving various generations of custom malware and phishing tactics.

A recent investigation by Bitdefender Labs has uncovered the activities of a previously unknown cyber threat group, dubbed “Unfading Sea Haze.” This group has been actively targeting high-level organizations, particularly military and government entities, in countries surrounding the South China Sea. The scope and nature of their attacks suggest a potential alignment with Chinese interests in the region.

It is worth noting that the South China Sea nations typically refer to countries that border the South China Sea. These include China, Taiwan, the Philippines, Malaysia, Brunei, Indonesia, and Vietnam.

****A Journey Through Time: Unraveling the Past Activities****

The investigation spanned at least eight victims and traced the group’s activities back to 2018, revealing a complex digital archaeology. Unfading Sea Haze has repeatedly gained access to compromised systems, exploiting poor credential hygiene and inadequate patching practices. Their ability to remain invisible for over five years indicates a sophisticated and patient threat actor, likely backed by nation-state resources.

****Attribution: Clues Pointing to Chinese Cyber Ecosystem****

While a definitive attribution remains challenging, Bitdefender’s research provides suggestive clues. The group’s focus on South China Sea countries and the use of tools popular with Chinese actors, such as Gh0st RAT variants, hint at a connection to the Chinese cyber ecosystem.

Additionally, a specific technique resembling a feature found in the “funnyswitch” backdoor, linked to APT41, further strengthens this hypothesis.

Screenshot shows the malware extracting encrypted data from Google Chrome (Image credit: Bitdefender Labs)

****Anatomy of an Attack: Initial Compromise and Tactics****

Unfading Sea Haze’s tactics include spear-phishing emails with malicious archives, containing LNK files disguised as regular documents. These files execute malicious commands, providing the group with access to victim systems. They have also incorporated Remote Monitoring and Management (RMM) tools, such as ITarian RMM, into their arsenal, a deviation from typical nation-state actor tactics.

****Execution: A Sophisticated Malware Arsenal****

Unfading Sea Haze has developed a sophisticated and evolving malware arsenal. Initially, they relied on SilentGh0st, TranslucentGh0st, and SharpJSHandler, supported by Ps2dllLoader.

However, in 2023, they began deploying new components, such as msbuild.exe and C# payloads stored on remote SMB shares. They have also adopted modular and plugin-based variants, like FluffyGh0st, InsidiousGh0st, and EtherealGh0st, for improved evasion capabilities.

****Data Collection: Custom Tools and Manual Techniques****

The group’s primary objective appears to be espionage, as evidenced by their use of custom and off-the-shelf tools for data collection. They employ a custom keylogger, xkeylog, and a browser data stealer to capture sensitive information.

Additionally, they use manual techniques, such as archiving data with rar.exe and targeting messaging app data, demonstrating a targeted and flexible approach to data extraction.

Unfading Sea Haze initially used a custom tool, DustyExfilTool, for data exfiltration. However, they switched to the curl utility and FTP protocol in 2022. Their exfiltration tactics have evolved, with dynamic and randomly generated credentials, indicating a focus on improving operational security.

****Conclusion and Recommendations: A Layered Defense Strategy****

Unfading Sea Haze has showcased a sophisticated and flexible approach to cyberattacks. To mitigate the risks posed by this group and similar threat actors, organizations should adopt a multilayered defense strategy.

This includes robust vulnerability management, strong authentication, proper network segmentation, effective logging, and collaboration within the cybersecurity community. By staying vigilant and proactive, organizations can enhance their resilience against such sophisticated cyber threats.

For a comprehensive understanding of Unfading Sea Haze’s tactics and malware arsenal, refer to the full research paper (PDF) by Bitdefender Labs.

1. China-Linked Spyware Found in Play Store Apps, 2m Downloads
2. China’s insidious surveillance against Uyghurs with Android malware
3. Muddling Meerkat Suspected of Espionage via Great Firewall of China
4. Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
5. Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff