In the world of cybersecurity, companies with big names in the industry are often targeted by cybercriminals. That’s due to the fact that they can benefit a lot from the data they gather – they can even ask for a ransom. With this idea in mind, threat actors have recently taken Shipping companies and medical laboratories in Asia as their new targets.
According to researchers, the cybercriminals behind this are none other than Hydrochasma. This group is targeting companies in the aforementioned fields, specifically those specializing in COVID-19 vaccine development and treatments.
The attack seems to be an intelligence-gathering campaign, and it’s way more dangerous than anyone might assume. What are the attackers using to infiltrate the systems? How is this campaign implemented? Find out below.
Hydrochasma – From Unidentified to Extremely Dangerous
As we mentioned, targeting big companies can harness a lot of benefits, especially when the data is valuable. Most of these breaches lead to phishing campaigns or, even worse, asking for a ransom.
This time around, the Hydrochasma campaign has been tracked by threat hunters at Symantec, a Broadcom company, since October 2022. Yes, it’s been ongoing for quite some time now.
The first activity of the group was seen in a phishing email. It included a lure document with a file name in the victim organization’s native language to make it more believable.
Not only that, but another activity was mimicking a resume. Both attachments below are translated from the original language:
- Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf.exe
- University-Development Engineer.exe
Once Hydrochasma compromises a device, they kick off by dropping a Fast Reverse Proxy (FRP). This can easily expose a local server hidden behind the NAT or firewall to the internet.
More Malicious Tools?
Unfortunately, it doesn’t end here. Researchers at Symantec also found other tools on the victim’s network:
- Fscan: Open ports scanner
- Dogz: Free VPX proxy tool
- SoftEtherVPN: Free open-source VPN tool
- Gogo: an automated network scanning engine
- Process Dumper: dump domain passwords (lsass.exe)
- Cobalt Strike beacon: Execute commands, inject processes, upload/download files
- AlliN scanning tool: Used for lateral movement
- Go-strip: Reduces the size of a Go binary
- HackBrowserData: Open-source utility to decrypt browser data
- Meterpreter: A tool that provides remote access
- Ntlmrelay: Used for NTLM-relay attacks and to intercept valid authentication requests
- Task Scheduler: Automates tasks on a system
- Procdump: A Microsoft Sysinternals utility that allows generating crash dumps, process dumps, and monitoring an app’s CPU usage
- BrowserGhost: Browser password grabber
- Gost proxy: Tunneling tool
Usually, well-known threat actors can be identified by tracking their way of infiltration or the tools they use. However, with this particular campaign, it was difficult.
Since there’s a plethora of tools that are available anywhere, connecting the activity to a specific criminal group is a hard task. In other words, Hydrochasma is planning on staying within the systems for a long time. That’s what Symantec stated in this comment:
“The researchers do not exclude the possibility that Hydrochasma is a known threat actor that started to experiment with the exclusive use of LotL tools and tactics in specific campaigns to cover their traces.”
The research company didn’t gather enough evidence to pinpoint what group was behind this. However, they did create this new Hydrochasma identity to at least, name the group terrorizing medical and shipping companies in Asia.
The Nameless Threat Actor Does Damage
Hydrochasma is a new threat among dozens of old ones. So far, the information provided about the group is insufficient to create a full-on profile.
This particular threat actor is capable, as seen in the attack above. We don’t know what the main objective is, but the group seems not to be going anywhere anytime soon.