- itscybernews
- Posts
- How Fileless Malware was used to Hack Government Entity
How Fileless Malware was used to Hack Government Entity
Hackers Found in Military and Government Networks After Six Years
A recently discovered cyber threat group, known as "Unfading Sea Haze," has been infiltrating military and government networks in the South China Sea region since 2018 without being detected. This group has focused on gathering intelligence and engaging in espionage activities, aligning with Chinese geopolitical interests, according to Bitdefender researchers.
Tactics, Techniques and Procedures
"Unfading Sea Haze" has shown significant operational similarities with other known Chinese state-sponsored groups, particularly APT41. Their sophisticated methods include the use of fileless malware attacks and advanced evasion techniques.
Key Methods and Tools
Initial Access and Persistence: The group abuses legitimate tools like
msbuild.exe
to execute malicious code in memory, leaving minimal traces on the victim's systems. This method includes the use of a backdoor called "SerialPktdoor" which grants remote access to compromised systems.Maintaining Access: They create and manipulate local administrator accounts on Windows systems, resetting passwords and modifying registry settings to hide these accounts from the login screen, ensuring persistent access.
Data Extraction: The attackers employ custom tools like
DustyExfilTool
for secure data exfiltration using TLS over TCP. Recent attacks have seen the use of FTP with frequently changing credentials for data exfiltration.
Evolution of Tools
Since 2023, "Unfading Sea Haze" has evolved its toolset to include stealthier malware variants:
SilentGh0st: An older variant providing extensive command and module capabilities.
InsidiousGh0st: A Go-based variant that includes improvements in TCP proxy, SOCKS5, and PowerShell.
New Variants: Tools like TranslucentGh0st, EtherealGh0st, and FluffyGh0st feature dynamic plugin loading and are designed for more evasive operations.
Specific Attack Techniques
"Unfading Sea Haze" employs a variety of sophisticated techniques to remain undetected and achieve their objectives. Here are detailed insights into some of their methods:
Fileless Malware Execution:
MSBuild Abuse: The group leverages
msbuild.exe
, a legitimate Microsoft tool, to compile and execute malicious code directly in memory. This technique avoids writing executable files to disk, making detection significantly harder. The attackers use custom XML project files to load and execute payloads.
Advanced Evasion Techniques:
Living off the Land Binaries (LOLBins): By abusing legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), and Microsoft Office macros, the attackers can execute their payloads while blending in with normal system activity.
In-Memory Execution: To avoid detection by traditional antivirus solutions, the group executes most of their malicious operations directly in memory, leaving minimal forensic evidence on disk.
Persistent Access:
Registry Manipulation: The attackers modify Windows Registry entries to ensure their malicious services and scripts persist across reboots. They create hidden administrator accounts and alter registry settings to hide these accounts from the login screen.
Scheduled Tasks and Services: By creating scheduled tasks or installing malicious services, the group maintains persistence on infected machines, allowing them to re-establish connections even after system reboots.
Credential Theft and Privilege Escalation:
LSASS Dumping: The attackers use tools like Mimikatz to dump credentials from the Local Security Authority Subsystem Service (LSASS) process. This allows them to escalate privileges and move laterally across the network.
Token Impersonation: They impersonate tokens to gain access to restricted resources, leveraging stolen credentials to escalate privileges within the network.
Data Exfiltration:
Encrypted Channels: To exfiltrate data, the group uses custom tools like
DustyExfilTool
, which encapsulate data in encrypted TLS tunnels, making it difficult for network monitoring tools to detect the exfiltration.Dynamic C2 Infrastructure: The attackers frequently change their command and control (C2) infrastructure to avoid detection and takedown. They use domain generation algorithms (DGA) and fast-flux DNS techniques to keep their C2 infrastructure resilient and dynamic.
Insights from the Canadian Centre for Cyber Security
The Canadian Centre for Cyber Security (CCCS) has issued advisories on the detection and mitigation of fileless malware, which aligns with some of the techniques used by "Unfading Sea Haze." According to the CCCS, fileless malware campaigns, like the one involving Astaroth malware, are particularly challenging to detect as they reside solely in memory and evade traditional security measures.
Recommendations from CCCS
Patch and Upgrade Management: Ensure all systems are updated with the latest security patches and vendor-issued advisories.
Layered IT Defense: Architect a multi-layered security environment, including endpoint hardening and disabling non-essential applications and services.
User Awareness: Implement robust cybersecurity training and encourage users to report suspicious activities.
Log Management: Regularly review system and server logs and conduct periodic audits to detect anomalies.
Conclusion
The continued success of "Unfading Sea Haze" highlights their adeptness at remaining undetected while achieving their espionage objectives. Their use of sophisticated techniques and evolving toolsets underscores the importance of robust cybersecurity measures in protecting sensitive military and government networks. Integrating insights and recommendations from authoritative bodies like the Canadian Centre for Cyber Security can enhance defenses against such advanced threats.
Disclaimer
Readers should not consider any advice and guidance contained within this report as comprehensive and/or all-encompassing. All risks related to the cybersecurity of information technology systems are the responsibility of system owners. The information provided is based on current understanding and practices and should be applied in conjunction with other relevant security measures and professional judgment.
Side note
If you are considering starting your own blog post or email newsletter, you should definitely consider using beehiiv. I’m blown away by how easy they’ve made it to grow and monetize. You can support me a lot by signing up through the affiliate link here.