Unfading Sea Haze Attacks: Research Reveals Threat Group
In the ever-evolving landscape of cybersecurity, a new player has emerged onto the scene, named Unfading Sea Haze attacks. This previously undisclosed threat group has garnered attention from researchers due to its targeted activities, primarily focused on high-level organizations within countries surrounding the South China Sea. Let’s look into the details of these South China Sea cyberattacks and understand its modus operandi.
Unfading Sea Haze Attacks Targeting High-Profile Entities
Unfading Sea Haze has set its sights on strategic targets, particularly military and government organizations in South China Sea countries. Bitdefender, a leading cybersecurity firm, has shed light on the group’s activities, revealing a pattern of intrusion dating back to 2018. Despite being a relatively new entrant, Unfading Sea Haze group has managed to compromise eight victims thus far.
Malware Detection
According to the Bitdefender report, one alarming aspect of Unfading Sea Haze’s tactics is its ability to repeatedly regain access to compromised systems. This highlights a crucial vulnerability in cybersecurity practices – poor credential management and inadequate patching of exposed devices and web services. The group’s persistence in exploiting these weaknesses underscores the
importance of robust security measures.
Aligned Interests and Attribution Challenges
While the motives behind Unfading Sea Haze attacks remain somewhat ambiguous, there are indications that their goals align with Chinese interests. However, attributing these attacks solely to a specific nation-state actor is challenging, as the attack signatures do not directly overlap with those of known hacking groups. Nevertheless, similarities in victimology and malware usage suggest a possible connection to previous Chinese-linked activities.
Intricate Attack Techniques
Unfading Sea Haze employs a variety of sophisticated techniques to infiltrate and maintain access to target networks. One such method involves spear phishing emails containing malicious archive files. These files, when opened, trigger the execution of a backdoor known as SerialPktdoor, allowing the group to execute commands remotely without leaving traces on the victim’s system.
Evasion and Persistence
The group’s tactics extend beyond initial access, incorporating techniques to establish persistence within compromised networks. This includes leveraging scheduled tasks and manipulating local Administrator accounts to maintain control over infiltrated systems. Additionally, Unfading Sea Haze utilizes commercially available Remote Monitoring and Management (RMM) tools to facilitate its operations, further enhancing its stealth and efficacy.
A Diverse Arsenal of Malware
Unfading Sea Haze boasts a diverse arsenal of custom and off-the-shelf fileless malware, including variants of the Gh0st RAT family and other specialized tools. These tools enable the group to perform a range of malicious activities, from keylogging and data stealing to executing PowerShell scripts and exfiltrating sensitive information.
Media reports state that these archive files come fitted with Windows shortcut LNK files that, when launched, set off the infection process by executing a command that’s designed to retrieve the next-stage payload from a remote server.
In a statement provided by Bitdefender, they noted, “Both involve loading .NET assemblies and executing JScript code. However, this was an isolated similarity,” referring to the ‘FunnySwitch’ backdoor, which has been linked to APT41.
Manual Data Extraction and Espionage
One notable aspect of this China cyber espionage is its manual approach to data exfiltration. The group selectively extracts information of interest, including data from messaging applications like Telegram and Viber, and packages it into password-protected archives. This targeted approach underscores the group’s focus on espionage and acquiring sensitive information from compromised systems.
Conclusion
The emergence of Unfading Sea Haze highlights the evolving nature of cyber threats and the importance of vigilance in the face of sophisticated adversaries. Endpoint security is crucial for protecting devices and networks from cyber threats.
By understanding the group’s tactics and techniques, organizations can better prepare themselves to defend against future attacks. Implementing robust security measures, including regular security patching and credential management, is essential to mitigating the risks posed by such threats.
The sources for this piece include articles in The Hacker News and The Record.