A previously unknown threat actor named Hydrochasma has targeted maritime and medical labs involved in COVID-19 vaccine development and treatments.

The hackers’ objective appears to be to steal information, and their activity has been tracked since last October by threat hunters from Symantec, a Broadcom company.

A feature of Hydrochasma attacks is that they rely only on open source tools and “live off the land” (LotL) tactics, leaving no trace that could lead to attribution.

attack flow

A Hydrochasma attack likely begins with a phishing email, an assumption based on Symantec detecting document-mimicking executables as the source of malicious activity on compromised machines.

The bogus documents use a “product specification information” theme when targeting transportation companies and a “job candidate resume” when targeting medical labs.

After compromising a machine, the attacker uses the access to remove a Fast Reverse Proxy (FRP), which can expose local servers behind a NAT (Network Address Translation) or firewall to the public web.

Then, the intruder drops the following tools on the infected system:

• Counter (disguised as Microsoft Edge Updater) a tool with advanced penetration testing capabilities that provides remote access
• Go Go: an automated network analysis engine
• Process unloaderto dump domain passwords (lsass.exe)
• Cobalt Strike Beaconto run commands, inject processes, upload/download files
• AlliN Scan Toolused for lateral movement
• fscan: open ports analyzer
• Dogz: Free VPX proxy tool
• SoftEtherVPN: free open-source VPN tool
• Product dump: a Microsoft Sysinternals utility that can generate crash dumps, process dumps, and monitor an application’s CPU usage
• BrowserGhost: browser password recoverer
• Gost Proxy: tunneling tool
• Ntlmrelay: used for NTLM relay attacks and to intercept valid authentication requests
• Task scheduler: automates tasks on a system
• go-strip: reduce the size of a Go binary
• HackBrowserData: open-source utility to decrypt browser data

Using such an extensive list of publicly available tools makes it difficult to connect activity to a specific threat group and indicates that attackers aim to stay in the victim’s network for long periods of time.

“The tools deployed by Hydrochasma indicate a desire for persistent, stealthy access to victim machines, as well as an effort to elevate privileges and spread laterally across victim networks,” comments Symantec.

“Although Symantec researchers have not observed data exfiltration from victim machines, some of the tools deployed by Hydrochasma allow remote access and could potentially be used to exfiltrate data.”

Researchers do not rule out the possibility that Hydrochasma is a known threat actor that has begun experimenting with the exclusive use of LotL tools and tactics in specific campaigns to cover their tracks.

For now, the only clues to what kind of actor Hydrochasma is are given by its victims, who Symantec says are in Asia. However, this indication alone is insufficient to create a correct profile.