Threat Management, Email security, Vulnerability Management

Medical labs, shipping companies targeted by new threat group Hydrochasma

A South Korean athlete gets a COVID vaccine shot

A new threat actor known as Hydrochasma is targeting medical labs and shipping companies based in Asia with phishing attacks in a likely intelligence-gathering campaign, according to Symantec researchers. The actors haven’t been tied to a previously identified group.

Hydrochasma appears to be interested in sectors involved in COVID-19-related treatments or vaccines and relies exclusively on publicly available and living-off-the-land tools. While these attacks have not yet reached the U.S., the new tactics are severe enough to prompt review to prevent possible exploits.

Among the open-source tools are two VPN software tools: Dogz, a free VPN proxy tool, and SoftEtherVPN. It was the presence of this tool in the first observed campaign that prompted Symantec to investigate the activity. Like Dogz, it’s free, open-source, and able to be used cross-platforms.

The campaign also leverages the Gogo scanning tool, originally designed for use by red teams, process dumper, Cobalt Strike Beacon, and AlliN scanning tool, as well as a tunneling tool called Gost proxy and Ntlmrelay, a relay attack that enables attackers to “intercept validated authentication requests in order to access network services.”

The use of these tools suggest Hydrochasma aims to achieve persistent and stealthy access to the victim’s network and devices by escalating privileges and moving laterally across the network. While not used during the observed campaign, some tools could allow remote access.

But the actors first gain access to the network using phishing emails. The first sign of infection is a lure document containing the name of the victim’s organization in their native language and indicators of a malicious email attachment. Another lure mimicked a resume for a company job posting. A successful phishing attempt provides the attackers with access to the machine.

In the initial attacks, the actors were seen installing Fast Reverse Proxy (FRP), which can expose a local server located behind a NAT or firewall to the internet. The tactic leads to a legitimate Microsoft Edge update, which then spreads to connected machines.

However, “this file is actually Meterpreter, a tool that is part of the Metasploit framework and can be used for remote access.”

The observed campaign did not include data exfiltration, despite the ability of some of these tools to do so. As such, Symantec believes the attacks are designed for intelligence gathering. Notably, Hydrochasma did not use custom malware used in these attacks.

The report contains a list of current indicators of compromise to help with identification and attribution. Hydrochasma joins a growing list of actors targeting entities tied to COVID-19 solutions and related sectors, particularly for intelligence gathering.

A September threat brief warned the Chinese state-sponsored group APT41 was targeting healthcare, pharmaceuticals, and high-tech industries to perform internal reconnaissance and move laterally using stolen credentials, weak RDP, and brute-forcing utilities. Healthcare is also heavily targeted by BlackCat, LockBit, and Clop.

As Hold Security Founder Alex Holden told SC Media in December, the threat to healthcare has never been greater. “The message is simple: all medical professionals need to get better because the bad guys are stepping up. We need to speed up.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.