Hackers Use Open-Source Tools to Attack Shipping Companies & Medical Laboratories

There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.

It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.

Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.

Modus Operandi of Attack

Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity. 

This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.

The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin. 

The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:- 

  • To evade attribution efforts
  • To enhance the stealthiness of their attacks

By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.

Attack Chain

Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization. 

This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-

  • Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
  • University-Development Engineer[.]exe

Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.

Tools Used

Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-

  • Gogo scanning tool
  • Process Dumper (lsass.exe)
  • Cobalt Strike Beacon
  • AlliN scanning tool
  • Fscan
  • Dogz proxy tool
  • SoftEtherVPN
  • Procdump
  • BrowserGhost
  • Gost proxy
  • Ntlmrelay
  • Task Scheduler
  • Go-strip
  • HackBrowserData

It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used. 

There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.

This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.

Network Security Checklist – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

4 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

5 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

6 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

7 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

7 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

7 hours ago