A previously unknown threat actor has been targeting shipping companies and medical laboratories in Asia since at least October 2020.
Dubbed “Hydrochasma” by Symantec’s researchers, the threat actor appears to be focused on industries that may be involved in COVID-19-related treatments or vaccines. Other notable aspect is that the group relies exclusively on open-source tools instead of custom malware.
The researchers said that while haven’t seen the attackers exfiltrate data in the observed attack, the group’s motivation in this campaign is likely intelligence gathering.
According to Symantec, the threat actor gained access to the victim’s network via a phishing email with a malicious document. Once gaining initial access, the attackers installed Fast Reverse Proxy (FRP), a tool that can expose a local server that is sitting behind an NAT or firewall to the internet. This tool dropped two files onto the machine - a legitimate Microsoft Edge update file, and the Meterpreter tool (part of the Metasploit framework), which can be used for remote access.
In addition to the above mentioned files, the researchers observed several other tools deployed by the threat actor such as Gogo scanning tool, Process Dumper (lsass.exe), Cobalt Strike Beacon, AlliN scanning tool, and Fscan Dogz VPN proxy tool.
Other tactics, techniques, and procedures (TTPs) observed being used in this campaign included:
-
SoftEtherVPN: A free, open-source, and cross-platform VPN software.
-
Procdump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility.
-
BrowserGhost: A publicly available tool that can grab passwords from an internet browser.
-
Gost proxy: A tunneling tool.
-
Ntlmrelay: An NTLM relay attack allows an attacker to intercept validated authentication requests in order to access network services.
-
Task Scheduler: Allows tasks to be automated on a computer.
-
Go-strip: Used to make a Go binary smaller in size.
-
HackBrowserData: An open-source tool that can decrypt browser data.
“The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks. The lack of custom malware used in this attack is also notable. Relying exclusively on living-off-the-land and publicly available tools can help make an attack stealthier, while also making attribution more difficult,” Symantec concluded.