The Hannotog malware is a backdoor Trojan that is part of the hacking arsenal of the Thrip group. Thrip is an APT (Advanced Persistent Threat) that carries out most of its operations in South East Asia. The majority of the targets of the Thrip hacking group are large companies in various industries – military, media, healthcare, telecommunications, etc. According to malware analysts, the Thrip APT has been operating since 2012. However, they managed to remain under the radar of cybersecurity researchers until 2018. This hacking group employs both custom-made hacking tools and publicly available malware.
The Hannotog threat is a custom-made backdoor Trojan that is often employed in the reconnaissance campaigns of the Thrip APT. The goal of most of the Thrip group’s operations is gathering and collecting important documents and files from the computers of their victims. This explains why they target large organizations in important industries. The Hannotog Trojan is designed to operate over prolonged periods and remain undetected. The Hannotog can collect information regarding the victim’s software, hardware and network settings. The collected information will then be transferred to the C&C (Command & Control) server of the attackers. Since the Hannotog Trojan is a backdoor, its main goal is to help the Thrip APT inject additional threats on the compromised computer. This is why the Hannotog backdoor Trojan serves as a first-stage payload. Malware researchers have identified that the Hannotog backdoor Trojan has been used to plant the Catchamas infostealer on infected systems. The Catchamas infostealer is another custom-built hacking tool that is part of the arsenal of the Thrip APT.
Since none of the threats built by the Thrip APT are very high-end, users and companies can protect their systems and data by installing a genuine anti-virus software suite. This will make sure that cyber crooks like the Thrip APT will never get their hands on their important data.