Hydrochasma, a threat actor that no one knew about before, has been going after shipping and medical labs that work on COVID-19 vaccine development and treatments. The hackers’ goal seems to be to steal intelligence, and threat hunters at Symantec, a Broadcom company, have been watching what they do since October.
Hydrochasma attacks only use open-source tools and “living off the land” (LotL) methods, leaving no traces that could be used to figure out who did it. A Hydrochasma attack probably starts with a phishing email. This is because Symantec found that malicious activity on compromised machines started with executables that looked like documents.
When sent to shipping companies, the fake documents look like “product specification information,” and when sent to medical labs, they look like “job applicant resumes.”
After gaining access to a machine, an attacker uses that access to drop a Fast Reverse Proxy (FRP), which can make local servers behind a Network Address Translation (NAT) or a firewall visible to the public web.
Then, the intruder drops the following tools on the system he or she has broken into:
- Meterpreter is a tool for advanced penetration testing that gives remote access and is disguised as Microsoft Edge Updater.
- Gogo: An engine that automatically checks networks
- Process Dumper, which dumps domain passwords (lsass.exe)
- Cobalt Strike beacon to run commands, inject processes, and upload/download files
- The AlliN scanning tool is used for moving sideways.
- Fscan: scan open ports
- Free VPX proxy tool Dogz
- SoftEtherVPN is a free VPN tool that is open source
- Procdump is a tool from Microsoft Sysinternals that lets you make crash dumps, process dumps, and watch how much CPU an app uses.
- BrowserGhost: Keylogger for browsers
- Gost proxy: a tool for tunneling
- Ntlmrelay is used for NTLM-relay attacks and to stop valid authentication requests from getting through.
- Task Scheduler makes tasks on a system run by themselves.
- Go-strip: makes a strip smaller. Go Binary
- HackBrowserData is a free program that can be used to decrypt browser data.
- Using such a long list of tools that are available to the public makes it hard to link the activity to a specific threat group and shows that the attackers want to stay in the victim’s network for a long time.
Symantec says that the tools used by Hydrochasma show a desire to gain persistent and stealthy access to victim machines, as well as a desire to gain more privileges and spread across victim networks.
“Symantec researchers didn’t see data being taken out of victim machines, but some of the tools used by Hydrochasma allow remote access and could be used to take data out.”
The researchers haven’t ruled out the idea that Hydrochasma is a known threat actor that started trying out using only LotL tools and tactics in specific campaigns to hide their tracks.
The only clues we have right now about what kind of actor Hydrochasma is is from its victims, who Symantec says are in Asia. But this information alone is not enough to make a good profile.
Conclusion
Shipping companies and medical labs in Asia may have been the target of espionage by a threat actor called Hydrochasma, which has never been seen before. The activity has been going on since October 2022, and Symantec by Broadcom Software said in a report that it “relies exclusively on publicly available and living-off-the-land tools.”
There isn’t enough evidence yet to find out where it came from or if it is connected to known threat actors, but a cybersecurity company said the group might be interested in industries that work on treatments or vaccines for COVID-19. The campaign stands out because there was no data exfiltration or custom malware. Instead, the threat actor used open-source tools to gather information. By using tools that are already out there, it looks like the goal is not only to make it challenging to figure out who is behind the attacks but also to make them sneakier.
