A previously unseen threat group has begun targeting shipping companies and medical laboratories across Asia. According to a report published by Symantec, this actor has been noted to exclusively use open-source tools and living-off-the-land attacks (LOLBINS) and appears to be motivated by intelligence gathering. The attack chain in the campaign outlined by Symantec began with the download of a file with the name “[TRANSLATED FROM THE ORIGINAL] Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf.exe” from a phishing email. Following initial access, a tool called “Fast Reverse Proxy” was downloaded and a Meterpreter shell was loaded disguised as an update for Microsoft Edge. Meterpreter is a part of Metasploit, a prominent open-source offensive security framework. The attacker has also been seen using Procdump, a Microsoft Sysinternals tool useful for troubleshooting by system administrators, which can be abused to allow attackers to obtain other login credentials and pivot across a network.
Analyst Notes
Phishing continues to be a focal point of initial access for threat actors. This campaign emphasizes the importance of a phishing awareness program and monitoring processes such as PowerShell and Procdump for potential misuse or abuse. LOLBIN usage can allow attackers to blend in with normal activity. Organizations are recommended to employ detections and mitigations for the post exploitation phase of an attack to try and weed out misuse of these programs.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering
