A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments.
The hackers’s goal appears to be stealing intelligence and their activity has been tracked since last October by threat hunters at Symantec, a Broadcom company.
A characteristic of Hydrochasma attacks is that they rely only on open-source tools and “living off the land” (LotL) tactics, leaving no traces that could lead to attribution.
Attack flow
A Hydrochasma attack likely begins with a phishing email, an assumption based on the fact that Symantec detected executables mimicking documents as the origin of the malicious activity on compromised machines.
The fake documents use a “product specification information” theme when targeting the shipping firms and a “job applicant resume” when targeting the medical labs.
After compromising a machine, the attacker uses the access to drop a Fast Reverse Proxy (FRP), which can expose to the public web local servers behind an NAT (Network Address Translation) or a firewall.
Next, the intruder drops the following tools on the infected system:
- Meterpreter (disguised as Microsoft Edge Updater) a tool with advanced penetration testing capabilities that provides remote access
- Gogo: an automated network scanning engine
- Process Dumper, to dump domain passwords (lsass.exe)
- Cobalt Strike beacon, to execute commands, inject processes, upload/download files
- AlliN scanning tool, used for lateral movement
- Fscan: open ports scanner
- Dogz: free VPX proxy tool
- SoftEtherVPN: free open-source VPN tool
- Procdump: a Microsoft Sysinternals utility that allows generating crash dumps, process dumps, and to monitor an app’s CPU usage
- BrowserGhost: browser password grabber
- Gost proxy: tunneling tool
- Ntlmrelay: used for NTLM-relay attacks and to intercept valid authentication requests
- Task Scheduler: automates tasks on a system
- Go-strip: reduces the size of a Go binary
- HackBrowserData: open-source utility to decrypt browser data
Using such an extensive list of publicly available tools makes it hard to connect the activity to any specific threat group, and indicates that the attackers aim to stay in the victim’s network for extended periods.
“The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks,” comments Symantec.
“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data.”
The researchers do not exclude the possibility that Hydrochasma is a known threat actor that started to experiment with the exclusive use of LotL tools and tactics in specific campaigns to cover their traces.
At the moment, the only clues pointing to the type of actor Hydrochasma is are given by its victims, which Symantec says are located in Asia. However, this indication alone is insuficient to create a proper profile.