While many successful attack campaigns employ custom malware and tools, sometimes those aren’t necessary and simple, freely available tools are all that’s needed to get the job done. A recently uncovered campaign that has targeted organizations in Asia in the medical and shipping industries has shown highly targeted lures and time-tested techniques still work.
The campaign began in October 2022 and researchers at Symantec found that the attackers deployed a range of phishing lure documents tailored to each victim organization and used a range of open source and other freely available tools to gather intelligence on target networks and maintain persistence. The attackers, which Symantec named Hydrochasma, did not appear to steal any data from the victim networks, but may be laying the groundwork for that down the road.
“The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks,” a new analysis of the campaign published Wednesday says.
“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data. The sectors targeted also point towards the motivation behind this attack being intelligence gathering.”
The start of the intrusions appear to be targeted phishing emails with lure documents attached that have subject lines designed to be relevant for the victims, such as engineering candidate resumes or product specifications. In one instance, the attackers installed the Fast Reverse Proxy tool on a compromised machine, and then eventually installed the Meterpreter payload from the Metasploit framework. Meterpreter is used for persistence and allows the attackers to execute remote commands.
The Hydrochasma attackers also use a variety of other common tools in this campaign, including Cobalt Strike beacons, the Procdump Sysinternals tool, the BrowserGhost password dumping tool, and various proxies and VPNs.
“The lack of custom malware used in this attack is also notable. Relying exclusively on living-off- the-land and publicly available tools can help make an attack stealthier, while also making attribution more difficult. Symantec did not see evidence to link this activity to a known actor, prompting us to create the new actor identity of Hydrochasma for those behind this activity,” the Symantec researchers said.