By GoldSparrow in Backdoors

The Sagerunex threat is part of the arsenal of hacking tools of the Thrip APT (Advanced Persistent Threat). This hacking group has been active since 2012, but it was not until 2018 that they caught the attention of malware analysts who began studying their campaigns. The Thrip APT operates mainly in the Southeast Asian region and tends to target high-level companies and organizations. Most of their targets appear to operate in the healthcare, media, military and telecommunications industries.

After cybersecurity experts studied the Sagerunex backdoor, they found uncanny similarities between it and the Evora threat – another backdoor Trojan that is part of the arsenal of the Thrip hacking group. It would appear that the Sagerunex threat is a new and improved variant of the older Evora backdoor. The Sagerunex malware is rather limited in regards to its capabilities. However, this tool is able to do more than enough to achieve the end goal of the Thrip APT – collecting sensitive data from the targeted hosts. The Sagerunex backdoor is likely deployed as a first-stage payload. This enables the attackers to use the Sagerunex threat to plant additional malware on the victim’s system. It is likely that the secondary-payload in the majority of the Thrip group’s campaigns is an infostealer that will allow the attackers to exfiltrate important, sensitive data and files from the infected computers. The Sagerunex backdoor is designed to gain persistency on the compromised host as soon as it successfully infiltrates it. This is done by tampering with the Windows Registry – this ensures that the Sagerunex backdoor is executed upon rebooting the system. To avoid detection by the victim, the Sagerunex backdoor is using the name ‘svchost.exe,’ which may mislead users into thinking that this is a legitimate service. As soon as the Sagerunex backdoor gains persistence on the system, it will connect to the attackers’ C&C (Command & Control) server and wait for them to send commands, which the threat will execute on the infected host.

The Sagerunex backdoor, as well as the other tools in the hacking arsenal of the Thrip APT, cannot be classified as very high-end malware. If you install a reputable anti-virus application on your system, you should be protected by the Sagerunex backdoor and other similar threats securely.


Most Viewed