A Chinese state-sponsored threat actor, dubbed “Unfading Sea Haze,” has been operating undetected on military and government networks in the South China Sea region since 2018.
The group’s primary focus has been intelligence collection and espionage, aligning with China’s geopolitical interests in the region.
Bitdefender researchers who discovered the threat group report that its operations align with Chinese geo-political interests, focusing on intelligence collection and espionage.
“In this attack, the criminals start a new MSBuild process with a twist: they specify a working directory located on a remote SMB server (like \154.90.34.83\exchange\info in the above example),” explains Bitdefender.
“By setting the working directory to a remote location, MSBuild will search for a project file on that remote server. If a project file is found, MSBuild will execute the code it contains entirely in memory, leaving no traces on the victim’s machine.”
That code executed by MSBuild is a backdoor program named ‘SerialPktdoor,’ which gives the attackers remote control over the compromised system.
The attack also employs scheduled tasks that execute innocuous files to side-load malicious DLLs and use local administrator account manipulation to maintain persistence.
