Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Unfading Sea Haze APT Targeting South China Sea Governments

Bitdefender Exposes Unfading Sea Haze's Advanced Cyberespionage Tactics
Unfading Sea Haze APT Targeting South China Sea Governments
A view of the South China Sea (Image: Shutterstock)

A previously undetected, suspected Chinese-state threat actor has been targeting governments in the South China Sea for years with a remote access Trojan that has been a favorite of Chinese hackers since its creation almost two decades ago.

See Also: Small Business Firewall Guide

Security researches from Bitdefender said Wednesday the threat actor it dubs Unfading Sea Haze doesn't appear to be a previously known Beijing threat actor - although it does show signs of a Chinese origin.

The most obvious indicator are the targets, since China has for decades aggressively moved to dominate the South China Sea past internationally recognized boundaries. The group has a consistent focus on espionage. The attackers employ keyloggers, browser data stealers and other custom tools to gather sensitive information from compromised systems. They also use a custom data exfiltration tool, DustyExfilTool, to securely transmit stolen data to their servers.

Technical indicators linking the group to Beijing include its deploying a web shell alternative known as SharpJSHandler that resembles a feature in a backdoor linked to a known Beijing hacking group tracked as APT41, Winnti, Wicked Panda and Wicked Spider.

Unfading Sea Haze has also used multiple iterations of the Gh0ST RAT framework, a tool deployed by Chinese criminal and state-backed hackers since a Chinese hacking group named C. Rufus Security Team released it publicly in 2008.

Leaks earlier this year from a Chinese state contractor show that overlap between Chinese hacking groups is at least partially attributable to hacking contractors that support multiple campaigns with similar tools. It lends further credence to the "quartermaster" theory of Chinese hacking, which holds that Chinese-state hacking groups draw from centralized pools of tools and techniques (see: iSoon Leak Shows Links to Chinese APT Groups).

Bitdefender's investigation identified at least eight victims, mainly government and military agencies.

Unfading Sea Haze employs a range of custom malware, from older versions of Gh0st RAT to more advanced modular variants. The investigation documented multiple iterations of these tools, indicating an evolution in sophistication and stealth.

The attackers use fileless attack methods, which execute malicious code in memory rather than writing it to disk, making detection difficult. One such method leverages Microsoft's MSBuild tool to execute code from remote SMB shares, avoiding traditional file-based detection.

DLL sideloading is another key technique used by the hacking group. The method involves tricking legitimate programs into loading malicious DLL files, allowing attackers to execute their code under the guise of trusted software. Researchers observed the hackers renaming the mspaint.exe and placing it in a directory with a malicious DLL.

The use of the SharpJSHandler tool highlights the group's innovative approach to maintaining persistence. SharpJSHandler functions similarly to a web shell, executing encoded JavaScript code via HTTP requests or cloud storage services such as Dropbox and OneDrive, which can complicate detection efforts.

Researchers concluded that from March 1, 2018, to January 20, 2022, hackers exfiltrated data using DustyExfilTool. This command line tool - which takes a file path, server IP address, and port as input - transmits files securely via TLS over TCP.

Starting in January 2022, the attackers switched to using the curl utility and FTP protocol for exfiltration, after initially using hard-coded credentials.

Since 2023, they have adopted a more dynamic approach, frequently changing the FTP credentials, which now appear randomly generated. This change suggests an effort to improve operational security.

Researchers said that the attackers often regained access to compromised systems by exploiting poor credential hygiene and inadequate patching practices.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.