In an alarming revelation, cybersecurity researchers have uncovered activities related to Gh0st Rat Malware being used by a previously undocumented threat group, dubbed Unfading Sea Haze. Believed to have been active since 2018, this sophisticated group has been targeting high-level organizations in South China Sea countries, including military and government entities. The findings, shared by Bitdefender with The Hacker News, spotlight the evolving and persistent nature of cyber threats aligned with geopolitical interests.
Persistent Intrusions and Poor Cyber Hygiene
Bitdefender’s investigation identified eight victims so far, underscoring a significant pattern of repeated intrusions. “The attackers repeatedly regained access to compromised systems,” noted Martin Zugec, Technical Solutions Director at Bitdefender. This persistent exploitation highlights critical vulnerabilities in cyber defenses, particularly poor credential hygiene and inadequate patching practices on exposed devices and web services.
Chinese Interests and Victimology Footprint
While the attack signatures do not match those of any known hacking groups, there are indications that the threat actor’s goals align with Chinese interests. This is particularly evident in the selection of targets, which includes countries like the Philippines and other organizations in the South Pacific, reminiscent of targets previously attacked by the China-linked Mustang Panda actor.
Technical Tactics and Gh0st RAT Malware
Unfading Sea Haze employs a variety of sophisticated techniques and tools in its cyber arsenal. A notable tool is the Gh0st RAT malware, a well-known trojan frequently used by Chinese-speaking threat actors. Additionally, the group utilizes a technique involving JScript code through SharpJSHandler, bearing a resemblance to features in the ‘FunnySwitch’ backdoor linked to APT41. Despite these similarities, the usage appears isolated.
Initial Access and Spear-Phishing Tactics
The exact initial access pathways remain unknown, but spear-phishing emails containing booby-trapped archives have been a consistent method for regaining access to compromised entities. These archives include Windows shortcut (LNK) files that, when launched, execute commands to retrieve the next-stage payload from a remote server. This payload, a backdoor named SerialPktdoor, is designed to run PowerShell scripts, manage files, and conduct various other malicious activities.
Fileless Execution and Persistence Mechanisms
One of the notable aspects of Unfading Sea Haze’s operations is the use of the Microsoft Build Engine (MSBuild) for fileless execution. This method leaves no trace on the victim’s system, significantly reducing the chances of detection. The group also establishes persistence using scheduled tasks that mimic legitimate Windows files to run harmless executables susceptible to DLL side-loading, ultimately loading a malicious DLL.
Another persistence technique involves manipulating local Administrator accounts by enabling disabled accounts and resetting passwords. Since September 2022, the group has been observed using commercially available Remote Monitoring and Management (RMM) tools, such as ITarian RMM, to gain a foothold in victim networks—an unusual tactic for nation-state actors, with notable exceptions like the Iranian MuddyWater group.
Sophisticated Custom Tools and Modular Malware
The sophistication of Unfading Sea Haze is evident in its wide array of custom tools. These include multiple variants of the Gh0st RAT, such as SilentGh0st, InsidiousGh0st (in C++, C#, and Go versions), TranslucentGh0st, FluffyGh0st, and EtherealGh0st. These tools are modular and adopt a plugin-based approach, enhancing their flexibility and evasion capabilities.
A critical component of their toolkit is Ps2dllLoader, capable of bypassing the Antimalware Scan Interface (AMSI) and delivering SharpJSHandler. This handler listens for HTTP requests and executes encoded JavaScript using the Microsoft.JScript library. Bitdefender discovered multiple variants of SharpJSHandler that can retrieve and execute payloads from cloud storage services like Dropbox and Microsoft OneDrive.
Data Exfiltration and Manual Extraction
Unfading Sea Haze’s data exfiltration methods are notably manual, targeting sensitive information from compromised systems. The group uses a custom data exfiltration tool, DustyExfilTool, alongside a keylogger called xkeylog and a web browser data stealer. They also monitor portable devices and employ SharpZulip, a backdoor that uses the Zulip messaging service API for command execution.
This manual approach allows the threat actors to capture specific information of interest, including data from messaging applications like Telegram and Viber, often packaging it into password-protected archives for exfiltration.
A Targeted Espionage Campaign
“Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques,” Zugec pointed out. “The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures.”
The blend of custom and off-the-shelf tools, combined with manual data extraction, paints a picture of a highly targeted espionage campaign aimed at acquiring sensitive information from compromised systems. As cyber threats continue to evolve, the case of Unfading Sea Haze serves as a stark reminder of the need for robust cybersecurity measures and constant vigilance in the face of sophisticated adversaries.
Interesting Article : Microsoft Exchange Server Vulnerabilities exploited to Deploy Keylogger
Pingback: Ransomware Attacks on VMware ESXi Infrastructure Since March 2024