A new threat actor on the scene, Hydrochasma, has been observed using exclusively open-source tools for what Symantec researchers suggest is likely an intelligence-gathering campaign.
Hydrochasma: a new threat actor seen targeting medical and shipping sectors in Asia.
Researchers from Symantec, a Broadcom Software company, wrote this morning about an observed campaign likely intended to gather intelligence from shipping companies and medical laboratories in Asia. They’re calling it “Hydrochasma.”
What researchers know about Hydrochasma.
Symantec researchers have observed activity from the Hydrochasma threat actor dating back to October of 2022. The actor is not linked to any other known campaigns, and data was not seen being exfiltrated by researchers, however, the use of the tools observed gave researchers indication that the goal may be the gathering of intelligence. The industries in view of the Hydrochasma hacker (or hackers) appear to be ones associated with COVID-19 vaccines and treatments, the blog notes.
Hydrochasma goes phishing for victims.
The initial attack vector is a phishing email with a lure document attached in the email. The file name is in the native tongue of the victim’s organization, and has been seen to mimic a freight company qualification document, as well as a faux resume. Following the initial lure documents, Fast Reverse Proxy (FRP), described by researchers as “a tool that can expose a local server that is sitting behind a NAT or firewall to the internet,” drops a legitimate Microsoft Edge update file that also adds Meterpreter, explained as “a tool that is part of the Metasploit framework and which can be used for remote access.” Many other tools were dropped by the malicious actor, all indicating to researchers that there is “a desire [by the actor] to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks.”
The distinctive nature of the toolkit in use.
The absence of custom malware is worth a mention, researchers say, as the capability for the hacker to “live off the land” keeps their movements stealthier and serves to obfuscate their identities. This rendered researchers unable to link the activity with a known group, thus the Hydrochasma identity was born. The tools deployed indicated an allowance for remote access, and potentially could mean data exfiltration in the future, though none has been observed in this campaign to date by researchers.