A new threat actor has been observed targeting Asian shipping companies and medical research institutes with phishing emails.
Named “Hydro Kazuma” Symantec According to cybersecurity researchers, the attackers may have had an interest in industries related to COVID-19 treatments and vaccines.
“The infection vector used by Hydrochasma was most likely a phishing email,” reads an advisory published today by Symantec.
“The first suspicious activity we saw on the machine was a lure document with a file name in the victim organization’s native language that indicated it was an email attachment.”
After gaining initial access, threat actors were observed to drop Fast Reverse Proxy (FRP), a tool that exposes local servers behind network address translation (NAT) or firewalls.
This dropped a legitimate Microsoft Edge update file along with a .dll file. This is actually a Meterpreter tool that can be used to perform remote access on the victim’s machine.
Symantec also found several additional malware tools on infected machines, including the Gogo scanning tool, Cobalt Strike Beacon, and Fscan, a publicly available port scanning tool.
Additionally, Symantec said it found a shellcode loader and a corrupted portable executable (PE) file on the victim’s network.
“in the meantime [we] Although we have not seen any data exfiltration from the victim’s machine, some of the tools deployed by Hydrochasma allow remote access and could be used to exfiltrate data. Recommendation.
“The sectors targeted also indicate that the motive behind this attack is intelligence gathering.”
It’s worth noting that Hydrochasma doesn’t use custom malware, according to the company.
“Living off-shore and relying solely on publicly available tools helps make attacks more stealthy, but also makes attribution more difficult,” Symantec explains. doing.
Healthcare is currently one of the most targeted sectors globally by threat actors using phishing techniques. As new data show From the Healthcare Information and Management Systems Society.
