There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.
It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.
Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.
Modus Operandi of Attack
Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity.
This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.
The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin.
The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:-
- To evade attribution efforts
- To enhance the stealthiness of their attacks
By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.
Attack Chain
Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization.
This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-
- Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
- University-Development Engineer[.]exe
Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.
Tools Used
Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-
- Gogo scanning tool
- Process Dumper (lsass.exe)
- Cobalt Strike Beacon
- AlliN scanning tool
- Fscan
- Dogz proxy tool
- SoftEtherVPN
- Procdump
- BrowserGhost
- Gost proxy
- Ntlmrelay
- Task Scheduler
- Go-strip
- HackBrowserData
It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used.
There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.
This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.
Network Security Checklist – Download Free E-Book
