Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia

MITRE Techniques

• [T1566.001] Phishing: Attachment – The infection vector is likely phishing with lure documents in the victim’s language; for example, a lure titled “[TRANSLATED FROM THE ORIGINAL] Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf.exe”.
• [T1090.001] External Proxy – Fast Reverse Proxy (FRP) is used to expose a local server to the internet, enabling remote access; quote: “the attackers were seen dropping Fast Reverse Proxy (FRP), a tool that can expose a local server that is sitting behind an NAT or firewall to the internet.”
• [T1219] Remote Access Tools – Meterpreter and Cobalt Strike Beacon provide remote access, process injection, and command execution; quote: “This file is actually Meterpreter, a tool that is part of the Metasploit framework and which can be used for remote access.” and “Cobalt Strike Beacon: An off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes.”
• [T1046] Network Service Discovery – Multiple scanning tools (Gogo, AlliN, Fscan) indicate discovery of network services and lateral movement opportunities; quote: “Gogo scanning tool: An automated scanning engine originally designed for use by red teams.”
• [T1003.001] OS Credential Dumping – Process Dumper (lsass.exe) used to dump domain passwords; quote: “Process Dumper (lsass.exe): A tool that allows attackers to dump domain passwords.”
• [T1053] Scheduled Task – Task Scheduler enables automated tasks and persistence; quote: “Task Scheduler: Allows tasks to be automated on a computer.”
• [T1572] Protocol Tunneling – Gost proxy and similar tools enable tunneling to bypass network restrictions; quote: “Gost proxy: A tunneling tool.”
• [T1550] Use of Credentials – NTLM relay used to intercept and reuse authentication; quote: “Ntlmrelay: An NTLM relay attack allows an attacker to intercept validated authentication requests in order to access network services.”
• [T1071.001] Web Protocols – Cobalt Strike Beacon C2 communications leverage web protocols; quote: “Cobalt Strike Beacon C&C” (as part of command and control using web protocols).
• [T1560] Archive Collected Data – Not explicitly detailed, but the stealthy, living-off-the-land approach aligns with minimizing data fingerprints and exfiltration risk; quote: “living-off-the-land and publicly available tools can help make an attack stealthier, while also making attribution more difficult.”
• [T1105] Ingress Tool Transfer – Tools and payloads are moved to the victim environment as part of initial access and follow-on actions; quote: multiple tools and DLL/PE dropper deployments described.
• [T1059] Command and Scripting Interpreter – Meterpreter and Cobalt Strike capabilities imply command execution within compromised hosts; quote: “execute commands, inject other processes, elevate current processes, or impersonate other processes.”
• [T1218] Signed Binary Proxy Execution – Use of legitimate-looking binaries (e.g., Edge update) as a cover for malicious activity; quote: “drops a legitimate Microsoft Edge update file: %TEMP%MicrosoftEdgeUpdate.exe” and “%TEMP%msedgeupdate.dll” used for remote access.
• [T1120] Peripheral Device Discovery – Not explicitly present, included for completeness in listing broad toolset; no direct quote.