<\/a><\/figure>\n\n\n\n<\/gwmw>The threat actors maintain persistence through scheduled tasks, in order to avoid detection attackers used task names impersonating legitimate Windows files. The files are combined with DLL sideloading to execute a malicious payload.<\/p>\n\n\n\n
Attackers also manipulate local Administrator accounts to maintain persistence, they were spotted enabling the disabled local Administrator account, followed by resetting its password.<\/gwmw><\/p>\n\n\n\n
Unfading Sea Haze has notably begun using Remote Monitoring and Management (RMM) tools, particularly ITarian RMM, since at least September 2022 to compromise targets’ networks. This approach represents a significant shift from typical nation-state tactics. Additionally, experts collected evidence that they may have established persistence on web servers, such as Windows IIS and Apache httpd, likely using web shells or malicious modules. However, the exact persistence mechanisms remain unclear due to insufficient forensic data.<\/gwmw><\/gwmw><\/p>\n\n\n\n
The Chinese threat actor has developed a sophisticated collection of custom malware and hacking tools. Since at least 2018, they used SilentGh0st, TranslucentGh0st, and three variants of the .NET agent SharpJSHandler supported by Ps2dllLoader. In 2023, they replaced Ps2dllLoader with a new mechanism using msbuild.exe and C# payloads from a remote SMB share. The attackers also replaced fully featured Gh0stRat variants to more modular, plugin-based versions called FluffyGh0st, InsidiousGh0st (available in C++, C#, and Go), and EtherealGh0st. <\/p>\n\n\n\n
“One of the payloads delivered by Ps2dllLoader is\u00a0SharpJSHandler<\/strong>.” reads the report. “SharpJSHandler operates by listening for HTTP requests. Upon receiving a request, it executes the encoded JavaScript code using the Microsoft.JScript library.<\/gwmw><\/p>\n\n\n\n
Our investigation also uncovered two additional variations that utilize cloud storage services for communication instead of direct HTTP requests. We have found variations for DropBox and for OneDrive. In this case, SharpJSHandler retrieves the payload periodically from a DropBox\/OneDrive account, executes it, and uploads the resulting output back to the same location.<\/p>\n\n\n\n
These cloud-based communication methods present a potential challenge for detection as they avoid traditional web shell communication channels.”<\/p>\n\n\n\n
The threat actors used both custom malware and off-the-shelf tools to gather sensitive data from victim machines.<\/gwmw><\/gwmw><\/p>\n\n\n\n
One of the malware used for data collection is a keylogger called xkeylog, they also used a web browser data stealer, a tool to monitor the presence of portable devices, and a custom tool named DustyExfilTool. <\/p>\n\n\n\n
The attackers are also able to target messaging applications like Telegram and Viber. They first terminate the processes for these apps (telegram.exe and viber.exe), then use rar.exe to archive the application data.<\/gwmw><\/gwmw><\/p>\n\n\n\n
“The Unfading Sea Haze threat actor group has demonstrated a sophisticated approach to cyberattacks. Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques.” concludes the report. “The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures. Attackers are constantly adapting their tactics, necessitating a layered security approach.”<\/em><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n