Critical Start Warns of Newly Discovered Threat Group Targeting Organizations in Asia 

Previously Unknown Threat Group: Hydrochasma 

Hydrochasma is a newly discovered cyberthreat group that has been targeting medical and shipping organizations in Asia since at least October 2022. State-sponsored cyberattacks have been increasing in recent years, with governments and their intelligence agencies engaging in cyber espionage to gain an edge in political, economic, and military affairs. These attacks are typically designed to be stealthy, targeted, and persistent, with the ultimate goal of stealing sensitive data or disrupting critical infrastructure. 

Hydrochasma has not been linked to any previously identified group but appears to have a possible interest in industries involved in COVID-19-related treatments or vaccines. The group’s attack chain starts with a phishing email that likely contains a lure document as an attachment. Once the attachment is opened, the attackers gain access to the victim’s network and begin to drop a series of living-off-the-land and publicly available tools to achieve persistent and stealthy access to victim machines, escalate privileges, and spread laterally across victim networks. The tools used by Hydrochasma include Fast Reverse Proxy (FRP) and Meterpreter, among others. 

Attack Chain: Using a Living-off-the-Land Tool 

An attack that uses a living-off-the-land tool (LOTL) is when the attacker uses legitimate tools and features that are already present on the target system or network, rather than introducing custom malware or software. LOTL attacks typically use tools that are commonly available on most operating systems, making them difficult to detect with traditional antivirus and security solutions. 

Examples of LOTL tools include PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP), which are commonly used by system administrators to manage and troubleshoot systems. Attackers can abuse these tools to gain access to target systems, move laterally through networks, and carry out other malicious activities. 

LOTL attacks are often carried out by state-sponsored threat actors, who have the resources and expertise to conduct sophisticated attacks that can evade detection. However, they can also be carried out by cybercriminals and other non-state actors looking to steal sensitive data or disrupt critical systems. 

To defend against LOTL attacks, organizations should implement a defense-in-depth strategy that includes multiple layers of security controls, such as network segmentation, endpoint protection, and user training. They should also monitor for suspicious activity on their networks, including unusual use of legitimate tools and features, and have a plan in place for responding to security incidents.  

The first tool dropped by the attackers was Fast Reverse Proxy (FRP). It is designed to allow access to a local server that is behind a network address translation (NAT) or firewall by exposing it to the internet. FRP exposes a local server that is behind a NAT or firewall to the internet. This tool drops a legitimate Microsoft Edge update file (%TEMP%\MicrosoftEdgeUpdate.exe) on the victim’s machine. This means that attackers can gain access to victim machines remotely and potentially move laterally across a network. By using FRP, the attackers can achieve persistent and stealthy access to victim machines, which is a key objective in many cyberattacks. 

Another file, %TEMP%\msedgeupdate.dll, is then seen on victim machines, but this file is actually Meterpreter, a tool that is part of the Metasploit framework and can be used for remote access. Metasploit is an open-source penetration testing framework used to simulate attacks on a computer system or network to identify vulnerabilities. Metasploit provides various modules, including payloads, exploits, and auxiliary modules, that can be used to test and exploit vulnerabilities. 

Meterpreter is one of the payloads available in the Metasploit framework. It is a remote access tool that allows an attacker to take control of a victim’s machine and perform various actions, such as capturing screenshots, recording keystrokes, and stealing sensitive information. 

Meterpreter provides a command-line interface that allows an attacker to execute commands and scripts on the victim’s machine, interact with the file system, and access the victim’s network. It also includes various modules, such as privilege escalation modules, that can be used to escalate privileges on the victim’s machine and gain higher levels of access. 

Other tools that were subsequently seen on this victim’s network included the Gogo scanning tool, Process Dumper (lsass.exe), Cobalt Strike Beacon, AlliN scanning tool, Fscan, Dogz proxy tool, a shellcode loader, and a corrupted portable executable (PE) file. 

The tactics, techniques, and procedures (TTPs) observed being used in this campaign included: 

  • SoftEtherVPN: Free and open-source cross-platform VPN software that can be used to create secure connections between different devices or networks over the internet. 
  • Procdump: A utility program from Microsoft Sysinternals that can monitor an application for CPU spikes and generate crash dumps. It can also be used as a general process dump utility. 
  • BrowserGhost: A publicly available tool that can be used to steal passwords from internet browsers. It can extract credentials from popular browsers like Chrome, Firefox, and Opera. 
  • Gost proxy: A tunneling tool that can be used to bypass firewalls and other network restrictions. It can create encrypted connections between different devices or networks over the internet. 
  • Ntlmrelay: A Windows New Technology LAN Manager (NTLM) relay attack allows an attacker to intercept validated authentication requests in order to access network services. This tool can be used to carry out such attacks. 
  • Task Scheduler: A built-in Windows utility that allows tasks to be automated on a computer. It can be used to run programs or scripts at specified times or events. 
  • Go-strip: A tool used to reduce the size of Go binary files by removing unnecessary debugging information and reducing symbol table size. 
  • HackBrowserData: An open-source tool that can be used to extract sensitive information like browsing history, bookmarks, and passwords from various web browsers. It can decode encrypted data stored by browsers and save it in a readable format. 

The tools and tactics, techniques, and procedures (TTPs) used by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks. While Symantec researchers did not observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data.  

The lack of custom malware used in this attack is notable. Relying exclusively on living-off-the-land and publicly available tools can make an attack stealthier while also making attribution more difficult. Threat researchers have not seen any data being exfiltrated in this campaign, but some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data. 

Hydrochasma Targeting: Exploiting the Covid-19 Pandemic 

Hydrochasma’s targeting of shipping companies and medical laboratories in Asia highlights the growing trend of threat actors exploiting the COVID-19 pandemic for their gain. As the world continues to navigate the pandemic, threat actors are increasingly targeting organizations involved in vaccine research, treatment, and distribution. The targeting of these organizations poses a significant risk not only to their operations but also to public health. 

The sectors targeted by Hydrochasma point towards the motivation behind this attack being intelligence gathering. However, the lack of clear attribution to a known actor makes it difficult to determine the ultimate goal of the campaign or the potential impact on targeted organizations. 

Intelligence Implications: 

From a threat intelligence perspective, this campaign highlights the importance of monitoring for living-off-the-land and publicly available tools, as these can be used by both state-sponsored and non-state actors to carry out attacks. It also emphasizes the need to have a strong understanding of the TTPs used by threat actors, as these can provide valuable clues to their motivations and potential targets. 

These tools are attractive to threat actors because they are widely available and can be used to conduct attacks with minimal detection, making them a popular choice for both state-sponsored and non-state actors. The emergence of Hydrochasma highlights the continued and evolving threat posed by state-sponsored cyber espionage. This threat is further compounded by the ongoing COVID-19 pandemic, which has seen an increasing number of threat actors exploiting vaccine research, treatment, and distribution efforts.  

The emergence of Hydrochasma highlights the evolving threat landscape faced by organizations today. State-sponsored cyber espionage is becoming increasingly common, and the ongoing COVID-19 pandemic has seen a growing number of threat actors exploiting vaccine research, treatment, and distribution efforts. As such, organizations involved in these areas must remain vigilant and take proactive steps to protect themselves against potential attacks. 

Mitigation: 

To mitigate the risks posed by Hydrochasma and other threat actors using publicly available tools, organizations should prioritize a defense-in-depth strategy that incorporates multiple detection, protection, and hardening technologies. Such a strategy can help detect suspicious behavior on network machines and stop malware at each point of a potential attack chain. Additionally, organizations should monitor for living-off-the-land and publicly available tools, which are frequently used by both state-sponsored and non-state actors to carry out attacks. 

Understanding the TTPs used by threat actors is also critical in mitigating the risk of cyber-attacks. In the case of Hydrochasma, the use of phishing emails to initiate their attacks, followed by the deployment of a range of tools to achieve persistent and stealthy access to victim machines, highlights the importance of monitoring for such activity. By having access to up-to-date threat intelligence, organizations can gain valuable insights into the TTPs used by threat actors, allowing them to take proactive steps to mitigate the risks posed by cyber-attacks. 

Conclusion: 

The emergence of Hydrochasma underscores the continued and evolving threat posed by state-sponsored cyber espionage. By adopting a defense-in-depth strategy, utilizing threat intelligence, and understanding the TTPs used by threat actors, organizations can better protect themselves against potential cyber-attacks. It is critical for organizations to remain vigilant and take proactive steps to mitigate the risks posed by these attacks, particularly in industries involved in COVID-19-related treatments or vaccines. 


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar