Hacker's Haven
Hydrochasma Suspected of Espionage Campaign Targeting Shipping Companies and Medical Laboratories in Asia

Hydrochasma Suspected of Espionage Campaign Targeting Shipping Companies and Medical Laboratories in Asia

Pushkar Sharma's photo
Pushkar Sharma
·

2 min read

Cybersecurity company Symantec, by Broadcom Software, has reported a suspected espionage campaign carried out by a previously unknown threat actor named Hydrochasma. The campaign, which has been ongoing since October 2022, targets shipping companies and medical laboratories in Asia. The group appears to be interested in industry verticals that are involved in COVID-19-related treatments or vaccines.

What sets Hydrochasma's campaign apart is the absence of data exfiltration and custom malware, with the threat actor employing open-source tools for intelligence gathering. By using tools already available in the public domain, the group aims to not only confuse attribution efforts but also make the attacks stealthier.

The start of the infection chain is likely a phishing message containing a resume-themed lure document that, when launched, grants initial access to the machine. From there, the attackers have been observed deploying a variety of tools, including Fast Reverse Proxy (FRP), Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and Gost proxy.

Symantec's researchers note that the tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks.

The abuse of FRP by hacking groups is not new. In October 2021, Positive Technologies disclosed attacks mounted by ChamelGang that involved using the tool to control compromised hosts. In September of the same year, AhnLab Security Emergency Response Center (ASEC) uncovered attacks targeting South Korean companies that leveraged FRP to establish remote access from already compromised servers to conceal the adversary's origins.

Hydrochasma is not the only threat actor in recent months to completely eschew bespoke malware. OPERA1ER (aka Bluebottle), a cybercrime group targeting Francophone countries in Africa, also makes extensive use of living-off-the-land, dual-use tools, and commodity malware in its intrusions.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!

Did you find this article valuable?

Support Hacker's Haven by becoming a sponsor. Any amount is appreciated!

#cybersecurityMalwareEspionageasiaHydrochasma