Friday, October 4, 2024
HomeCyber AttackHackers Use Open-Source Tools to Attack Shipping Companies & Medical Laboratories

Hackers Use Open-Source Tools to Attack Shipping Companies & Medical Laboratories

Published on

There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.

It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.

Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.

- Advertisement - EHA

Modus Operandi of Attack

Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity. 

This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.

The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin. 

The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:- 

  • To evade attribution efforts
  • To enhance the stealthiness of their attacks

By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.

Attack Chain

Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization. 

This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-

  • Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
  • University-Development Engineer[.]exe

Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.

Tools Used

Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-

  • Gogo scanning tool
  • Process Dumper (lsass.exe)
  • Cobalt Strike Beacon
  • AlliN scanning tool
  • Fscan
  • Dogz proxy tool
  • SoftEtherVPN
  • Procdump
  • BrowserGhost
  • Gost proxy
  • Ntlmrelay
  • Task Scheduler
  • Go-strip
  • HackBrowserData

It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used. 

There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.

This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...