The Evora threat is a tool used by the Thrip hacking group. This tool is a backdoor that has been utilized as a first-stage payload that is meant to help the attackers to plant additional malware on the compromised system mainly. Its creators, the Thrip APT (Advanced Persistent Threat), concentrate on going after large companies that operate in the healthcare and military industries mainly. However, they also tend to target businesses in the media and telecommunications industries too. The goal of the Thrip hacking group is espionage, especially – they collect sensitive information from big corporations.
The Thrip APT first emerged in 2012, but they did not catch the attention of malware analysts until 2018. Once cybersecurity researchers started studying this hacking group, they found out more about their arsenal of tools and infrastructure, as well as their preferred targets. The Evora backdoor has been utilized in several reconnaissance campaigns carried out by the Thrip hacking group. However, the cybercriminals have since released a new and upgraded variant of the threat named Sagerunex. Both threats are very similar to one another, but the Sagerunex backdoor has rendered the Evora malware obsolete.
The Evora threat has likely been deployed during the first stage of the hacking campaign. Once the Evora backdoor has compromised the targeted host successfully, the Thrip APT would use it to plant a second-stage payload on the infected system. It is likely that the hackers have used this threat to plant infostealers like the Catchamas malware, which would collect sensitive data from the compromised host and exfiltrate it to the C&C (Command & Control) server of the Thrip APT.
The Thrip APT is not known for developing state-of-the-art hacking tools, but the threats it has in its arsenal are capable of causing significant damage to their targets.