24 Feb, 2023

Hydrochasma Targets Medical Research Laboratories and Shipping Companies

The new threat actor, called Hydrochasma, targets shipping companies and medical labs used in vaccine development and treatments for COVID-19 treatment.

The attackers' intent seems to be to get intelligence, the firm's activities being monitored by threat hunters at Symantec, a Broadcom company, since last October.

Hydrochasma uses only open source tools and "living off the land" (LotL) tactics. This unknown threat actor leaves no traces behind after an attack, which could lead to an intimidation.

Attack Flow

It is speculated that the Hydrochasma attack most likely started with a phishing email. Symantec has an assumption that the source of the attack is spoofing documents.

Attackers use information such as "product specification information" when targeting shipping companies with false documents and "curriculum vitae of job applicant" when targeting medical laboratories.

After breaching a machine's security system, the attacker leaves behind a Fast Reverse Proxy (FRP) that can use access to expose public web local servers behind a NAT or firewall.

Next, Hydrochasma releases the following tools into the infected system:

  • Meterpreter, is a remote access tool with advanced penetration testing features.
  • Gogo, is a remote access tool with advanced penetration testing features.
  • Process Dumper, is used to discover domain passwords and dump lsass.exe.
  • Cobalt Strike Beacon, is used to execute commands, inject, upload/download files.
  • Fscan, is an open port scanner.
  • Dogz, is a free VPX proxy tool.
  • SoftEtherVPN, is a free open source VPN tool.
  • Procdump, is a Microsoft Sysinternals utility that allows creating crash dumps, process dumps, and monitoring an application's CPU usage.
  • Ntlmrelay, is used to block NTLM relay attacks and valid authentication requests.
  • Task Scheduler, automates and maintains tasks in the system.
  • Go-strip, reduces the size of the Go binary.
  • HackBrowserData, is open source utility for decrypting browser data.

Such extensive use of open source code tools that are known and used by all makes it difficult to attribute activity to a particular threat group, and this behavior indicates that the attackers intend to stay on the target network for a long time.

“The tools deployed by Hydrochasma demonstrate a desire to gain permanent and confidential access to victim machines, as well as an effort to escalate privileges and spread rapidly across victim networks,” and “Although Symantec researchers did not observe data leaking from victim machines, some tools used by Hydrochasma are capable of remote access. and this can be used to potentially leak data.” made statements.

Source:

Hydrochasma hackers target medical research labs, shipping firms (bleepingcomputer.com)

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
All detailed information about the new threat actor named Hydrochasma and its attacks is in this content.
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram