Behold! a new player has emerged in the realm of cyber threats: Hydrochasma. According to Symantec's investigation, this group has set its sights on medical laboratories and shipping firms in Asia. This previously unknown group was found to have no links to any known threat actors, but it appears to be interested in industries involved in COVID-19 treatments or vaccines.
Diving into details
Symantec researchers observed persistent activities by the group that began in October 2022.
- While the location of Hydrochasma remains unknown to the researchers, the group has targeted companies involved in developing treatments and vaccines for COVID-19.
- Hydrochasma most probably used a phishing email as the target machines received a lure document with a file name in the victim’s native language. Another lure document used was camouflaged as a resume.
- The nature of the targets and tools employed strongly suggests that the primary objective of this campaign is intelligence gathering.
- Hackers, so far, did not exfiltrate any data during the campaign.
Why this matters
Hackers use tools that suggest their intention to establish long-term and inconspicuous access to targeted machines, while also attempting to increase privileges and propagate laterally.
- They did not employ any custom malware but instead heavily relied on publicly available and living-off-the-land tools.
- The attackers dropped Fast Reverse Proxy on the victim’s system, which is a tool that can expose a local server behind a firewall.
- Such tactics can increase the stealthiness of the attack and make identifying the perpetrators more challenging.
- Other tools dropped include Meterpreter for remote access, Gogo scanner, process dumper, Cobalt Strike, AlliN scanner, Fscan, and Dogz proxy.
The bottom line
Attacking the medical labs and shipping companies drives home the fact that it is a cyberespionage campaign. While there has been no evidence of data exfiltration yet, the tools Hydrochasma allow for remote access, potentially enabling data exfiltration.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8368_shutterstock_2252599749.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/22d5_shutterstock_2249995153.jpg)
