Analysis Summary

A previously unknown threat group Unfading Sea Haze has been active since 2018 and targeting high-level organizations in South China Sea countries, particularly military and government entities.

According to researchers, eight victims have been identified with attackers frequently regaining access to compromised systems due to poor credential hygiene and inadequate patching practices. The group's activities align with Chinese interests as seen in the victimology footprint and use of the Gh0st RAT malware commonly associated with Chinese-speaking threat actors. Unfading Sea Haze employs sophisticated techniques including executing JScript code through the SharpJSHandler tool reminiscent of the APT41-linked FunnySwitch backdoor.

Despite this, the exact initial access pathway remains unclear, though spear-phishing emails containing booby-trapped archives have been observed as a common method. These archives deploy Windows shortcut files that trigger the infection process leading to the deployment of the SerialPktdoor backdoor which facilitates various malicious activities such as running PowerShell scripts and file manipulation.

The group's persistence mechanisms include the use of scheduled tasks that mimic legitimate Windows files and manipulating local Administrator accounts to maintain access. Since September 2022, they have also incorporated commercially available Remote Monitoring and Management (RMM) tools like ITarian RMM, a tactic not often seen in nation-state operations except for the Iranian MuddyWater group. Their arsenal includes custom tools such as variants of the Gh0st RAT family and the Ps2dllLoader, which bypasses the Antimalware Scan Interface (AMSI) to deliver SharpJSHandler capable of executing encoded JavaScript code via Microsoft.JScript library.

Additionally, Unfading Sea Haze utilizes diverse techniques for data exfiltration and persistence. They deploy tools like xkeylog for keylogging, web browser data stealers, and DustyExfilTool for custom data exfiltration. Notably, the SharpZulip backdoor uses the Zulip messaging service API to fetch commands, indicating a high level of sophistication and manual data extraction efforts to gather sensitive information, including data from messaging applications like Telegram and Viber.

This blend of custom and off-the-shelf tools and manual data extraction underscores a targeted espionage campaign with a strong focus on flexibility, evasion, and acquiring sensitive information from compromised systems.

Impact

• Unauthorized Access
• Sensitive Information Theft
• Data Exfiltration
• Cyber Espionage

Indicators of Compromise

SHA1

• d421830cc2c1a04dd89c94bee0714ef805fa6c4c
• a23704a9a673dc1de624dc80e441d18ebb0c5fb8
• ed389a02b46cb203a2308aac5722176766936234
• d353bb3f4ce1e25e6f641013ee1db442140fc130
• 7c1a3c5c016209a502fe5157b7c525c6b079d79b

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.