Symantec details Hydrochasma group targeting Asian medical, shipping organizations

Symantec details Hydrochasma group targeting Asian medical, shipping organizations

Symantec researchers disclosed the presence of Hydrochasma threat actors targeting shipping companies and medical laboratories in Asia, in a likely intelligence-gathering campaign that relies exclusively on publicly available and living-off-the-land tools. There is no custom malware deployed in that attack campaign, which appears to rely exclusively on open-source tools.

“Hydrochasma, the threat actor behind this campaign, has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines,” the Symantec Threat Hunter Team wrote in a blog post on Wednesday. “This activity has been ongoing since at least October 2022. While Symantec, by Broadcom Software, did not see any data being exfiltrated in this campaign, the targets, as well as some of the tools used, indicate that the most likely motivation in this campaign is intelligence gathering.”

The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks.

“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data,” the post said. “The sectors targeted also point towards the motivation behind this attack being intelligence gathering.”

The lack of custom malware used in this attack is also notable. Relying exclusively on living-off-the-land and publicly available tools can help make an attack stealthier, while also making attribution more difficult. Symantec did not see evidence to link this activity to a known actor, prompting the team to create the new actor identity of Hydrochasma for those behind this activity.

The researchers said that the infection vector used by Hydrochasma was most likely a phishing email. 

The first suspicious activity seen on machines is a lure document with a file name in the victim organization’s native language that appears to indicate it was an email attachment:

[TRANSLATED FROM THE ORIGINAL] Product Specification-Freight-Company Qualification Information wps-pdf Export[dot]pdf[dot]exe.

Another lure document appears to be mimicking a resume:

[TRANSLATED FROM THE ORIGINAL] [REDACTED] University-Development Engineer[dot]exe.

Following initial access on one machine, the attackers were seen dropping Fast Reverse Proxy (FRP), a tool that can expose a local server sitting behind a NAT or firewall to the internet. This drops a legitimate Microsoft Edge update file ‘%TEMP%\MicrosoftEdgeUpdate[dot]exe.

Another file, ‘%TEMP%\msedgeupdate[dot]dll,’ is then seen on victim machines. The Symantec team revealed that this file is actually Meterpreter, a tool that is part of the Metasploit framework and can be used for remote access.

The researchers identified that the other tools that were subsequently seen on this victim’s network included ‘gogo’ scanning tool, an automated scanning engine originally designed for use by red teams; the Process Dumper (lsass[dot]exe) tool that allows attackers to dump domain passwords; and the Cobalt Strike Beacon off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files. It ostensibly has legitimate uses as a penetration testing tool but is invariably exploited by malicious actors.

They also found the AlliN pen-testing scan tool that can be used for lateral penetration of the intranet; Fscan publicly available hack tool that can scan for open ports and more, and the Dogz free VPN proxy tool. A shellcode loader and a corrupted portable executable (PE) file were also deployed on this victim’s network.

Other tactics, techniques, and procedures (TTPs) observed being used in the Hydrochasma campaign included SoftEtherVPN, whose presence was what first prompted Symantec researchers to investigate this activity. It is free, open-source, and cross-platform VPN software. It also included Procdump, a Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but it can also be used as a general process dump utility.

Symantec also revealed the presence of BrowserGhost, a publicly available tool that can grab passwords from an internet browser, Gost proxy tunneling tool, and Ntlmrelay, an NTLM relay attack that allows an attacker to intercept validated authentication requests to access network services. It also covers Task Scheduler which allows tasks to be automated on a computer, Go-strip used to make a Go binary smaller in size, and HackBrowserData open-source tool that can decrypt browser data.

Earlier this month, Symantec researchers disclosed that the Russian-linked Nodaria group had deployed a new threat designed to steal information from infected computers. The espionage group, also known as UAC-0056, has been found to use a new piece of information-stealing malware against targets in Ukraine.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related