A previously unknown threat actor that exclusively uses a slew of publicly available and living-off-the-land tools has been targeting Asia-based shipping companies and medical laboratories in an intelligence-gathering operation since October, researchers have found.
Dubbed Hydrochasma by researchers at Symantec, which is owned by Broadcom Software, the group as yet does not appear to have stolen any data, but seems to target industries that are involved in COVID-19-related treatments or vaccines for cyberespionage, Symantec’s Threat Hunter Team wrote in a blog post published this week.
“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data,” researchers wrote.
Judging by its tools and tactics, the group’s chief motive appears to be achieving persistent access to victim machines without being detected, “as well as an effort to escalate privileges and spread laterally across victim networks,” they noted.
Indeed, the lack of custom malware lends itself to this motive, Brigid O Gorman, senior intelligence analyst with Symantec Threat Hunter team, tells Dark Reading.
“The group’s reliance on living-off-the-land and publicly available tools is notable,” she says. “This may tell us a number of things about the group, including a desire to stay under the radar and make attribution of their activity more difficult.”
How Hydrochasma Attacks
Researchers first were alerted to concerning activity on the victim’s network when they noticed the presence of SoftEther VPN, a free, open source, and cross-platform VPN software often used by attackers.
Like many other threat groups, Hydrochasma appeared to use phishing as its means of initial access to a targeted network. Indeed, phishing remains one of the most successful ways for attackers to compromise networks, and it continues to grow and evolve at a fast clip.
In this case, the first sign of suspicious activity that researchers found on victim machines was a lure document with a file name in the organization’s native language that appeared to be an email attachment for a freight company “product specification,” they said. Researchers also found a lure that mimicked a resume for a “development engineer.”
Once Hydrochasma gains access to a machine, attackers drop a Fast Reverse Proxy, a tool that can expose a local server protected by a network address translation (NAT) or firewall to the Internet. That in turn drops a legitimate Microsoft Edge update file. That’s followed up by another file that’s actually a publicly available tool called Meterpreter — which is part of the Metasploit framework — that can be used for remote access, researchers said.
Everything But the Kitchen Sink
In fact, in the campaign that researchers observed, the group bombarded the victim organization with what seemed like everything but the kitchen sink in a flurry of publicly available tools aimed to guarantee its presence and persistence on the network.
“It is relatively unusual to see an attack group using only open source malware in an attack chain, so this did make Hydrochasma’s activity stand out to us,” O Gorman notes.
Other tools being wielded by Hydrochasma in the attack included: Gogo scanning tool, an automated scanning engine; Process Dumper, which allows attackers to dump domain passwords; AlliN scanning tool, which can be used for lateral penetration of the intranet; and Fscan, a publicly available hacktool that can scan for open ports and more.
Researchers also observed Hydrochasma using Cobalt Strike Beacon, a legitimate pen-testing tool that attackers also have widely adopted for executing commands; injecting, elevating, and impersonating processes; and uploading and downloading files on victim networks. The group also deployed a shellcode loader and a corrupted portable executable in the attack.
Their assault on the victim network didn’t stop there, however; additional tools that researchers observed being used in the attack included: Procdump, for monitoring an application for CPU spikes and generating crash dumps; BrowserGhost, which can grab passwords from a browser; the tunneling tool Gost proxy; Ntlmrelay for intercepting validated authentication requests to access network services; and HackBrowserData, an open source tool that can decrypt browser data.
Symantec included both file and network indicators of compromise in its blog post to help organizations identify if they’re being targeted by Hydrochasma.
The extensive use of dual-use and living-off-the-land tools by the group highlights the need for organizations to have a comprehensive security solution to detect suspicious behavior on network machines, as well as stop malware, O Gorman says: “Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain,” she tells Dark Reading. “Organizations should also be aware of and monitor the use of dual-use tools inside their network.”
In general, Symantec also advises implementing proper audit and control of administrative account usage, as well as the creation of profiles of usage for admin tools, “as many of these tools are used by attackers to move laterally undetected through a network,” O Gorman adds.