The activity of the group, which is tracking under the code name HydroChasma, has been continuing since October 2022. “Shipping companies and medical laboratories in Asia are attacked as part of the intelligence campaign campaign, which relies exclusively on publicly available tools for LOTL attacks,” Symantec researchers your report on February 22.
There is no evidence yet to determine the origin of the group or communication with other famous cybercriminals, but Symantec said that the group may be interested in attacks on the industry verticals of the medical industry associated with Covid-19.
The outstanding aspects of the campaign is that attackers do not steal any data and do not disseminate malicious programs. Instead, they use open source tools to collect intelligence.
As reported, the beginning of the infection chain is a fisch email containing a dump document. The document provides primary access to the device. After receiving such access, attackers deploy a lot of ready-made tools such as Fast Reverse Proxy (FRP), Meterpreter, Cobalt Strike Beacon, Fscan, Browserghost and the proxy server Gost.
“The tools deployed by HydroChasma indicate the desire to achieve constant and hidden access to victims, as well as the desire to increase privileges and spread on the casual networks,” the researchers said.
Various hacker groups are increasingly using Fast Reverse Proxy in their attacks. At the end of September 2021, for example, Positive Technologies discovered attacks aimed at South Korean companies who used FRP to establish remote access from already compromised servers to hide the origin of the attacker.
HydroChasma is not the only cybercrime group in recent months that has completely abandoned specialized malware. For such groups, such groups can be attributed, for example, Opera1er (also known as Bluebottle), which is widely used by dual-purpose Lotl tools and standard malware for intrusions aimed at African franco-speaking countries.