Shipping companies and medical laboratories in Asia are being targeted in an intelligence-gathering campaign by a new threat actor, Hydrochasma, using open-source tools exclusively. Although no data exfiltration has been observed, the tools deployed could potentially allow for remote access and data exfiltration. The campaign, which began in October 2022, targets industries that may be involved in COVID-19 treatments or vaccines.
The attackers use phishing emails with lure documents that appear to be email attachments in the victim’s native language. Once a machine is compromised, attackers deploy Fast Reverse Proxy, which drops a legitimate Microsoft Edge update file followed by Meterpreter, a tool for remote access. Other tools subsequently seen include Cobalt Strike Beacon, a penetration testing tool commonly exploited by malicious actors.
Hydrochasma’s use of publicly available and living-off-the-land tools indicates a desire for persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks. The lack of custom malware and the sectors targeted make attribution difficult. Symantec, by Broadcom Software, has created the new actor identity of Hydrochasma for the attackers.
