Hydrochasma Group Targets Asian Medical and Shipping Sectors

Written by

A new threat actor has been seen targeting shipping companies and medical laboratories in Asia with phishing emails.

Dubbed "Hydrochasma" by Symantec cybersecurity researchers, the threat actor appears to have had a possible interest in industries connected with COVID-19 treatments or vaccines.

“The infection vector used by Hydrochasma was most likely a phishing email,” reads an advisory published by Symantec earlier today.

“The first suspicious activity seen on machines is a lure document with a file name in the victim organization’s native language that appears to indicate it was an email attachment.”

After obtaining initial access, the threat actors were observed dropping Fast Reverse Proxy (FRP), a tool exposing a local server sitting behind a network address translation (NAT) or firewall.

This, in turn, dropped a legitimate Microsoft Edge update file alongside a .dll file that is, in reality, the Meterpreter tool, which can be used to perform remote access on victim machines.

Symantec also spotted several additional malware tools in infected machines, including the Gogo scanning tool, the Cobalt Strike Beacon and Fscan, a publicly available port scanning tool.

Additionally, Symantec said it discovered a shellcode loader and a corrupted portable executable (PE) file on a victim’s network.

“While [we] didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data,” reads the advisory.

“The sectors targeted also point towards the motivation behind this attack being intelligence gathering.”

According to the company, the fact that Hydrochasma did not use custom malware is notable.

“Relying exclusively on living-off-the-land and publicly available tools can help make an attack stealthier while also making attribution more difficult,” Symantec explained.

Healthcare is currently one of the most targeted sectors worldwide by threat actors using phishing techniques, as shown by new data from the Healthcare Information and Management Systems Society.

What’s hot on Infosecurity Magazine?