An Asian shipping company and medical research institute have been the target of a suspected espionage operation carried out by a never-before-seen threat actor. Hydro Kazuma.
The campaign, which has been ongoing since October 2022, “relies only on publicly available off-the-ground tools,” Symantec, provided by Broadcom Software, shared with The Hacker News. said in the report.
While there is no evidence yet to identify its origin or affiliation with known threat actors, the cybersecurity firm may be interested in industries where the group is involved in COVID-19-related treatments or vaccines. said that there is
A standout aspect of this campaign is the absence of data exfiltration and custom malware as threat actors employ open source tools for information gathering. By using tools that are already available, it appears the intent is not only to disrupt attribution efforts, but also to make the attack more stealthy.
The beginning of the infection chain is most likely a phishing message containing a resume-themed lure document granting initial access to the machine on boot.
From there, the attackers have been observed deploying tools such as Fast Reverse Proxy (FRP), Meterpreter, Cobalt Strike Beacon, Fscan, BrowserGhost, and Ghost Proxy.
“The tools deployed by Hydrochasma demonstrate a desire to gain persistent and stealthy access to a victim’s machine, as well as an attempt to escalate privileges and spread laterally throughout the victim’s network. ,” said the researcher.
The abuse of FRP by hacking groups is well documented. In October 2021, Positive Technologies revealed an attack staged by his ChamelGang that involved the use of tools to control compromised hosts.
Then, last September, the AhnLab Security Emergency Response Center (ASEC) launched an attack targeting a South Korean company that used FRP to establish remote access from an already compromised server to hide the origin of the adversary. discovered.
Hydrochasma isn’t the only actor to completely evade custom malware in recent months. This includes a cybercriminal group called OPERA1ER (aka Bluebottle). This group makes heavy use of off-land dual-use tools and commodity malware in its targeted incursions into French-speaking African countries.
