Thrip

Thrip Description

A Chinese APT (Advanced Persistent Threat) discovered by Symantec in 2018, dubbed Thrip, continue to act despite their exposure. The group has targeted several organizations in Asia over the past year, according to recent reports.

Researchers also say that the group is taking advantage of a custom backdoor called “Hannotog” to access systems and wreak havoc.

The group is similar to Billbug/Lotus Blossom, another Chinese hacking group that has the backing of the Chinese government. Billbug has been a threat in Asia – Southeast Asia specifically – for the past decade.

The Thrip APT is focused on carrying out reconnaissance operations mainly. This is why their threats tend to operate rather silently. The tools deployed in Thrip’s campaigns would gain persistence on the compromised host and begin an espionage operation that is built to last long-term if undetected. The Thrip APT uses both custom-created hacking tools and publicly available tools. Among the most used tools in the hacking arsenal of the Thrip APT are the Hannotog, Sagerunex and the Evora backdoors, as well as the Catchamas infostealer. The threats developed by the Thrip hacking group cannot be considered very high-end, but they are good enough to carry out successful operations.

The Thrip APT tends to use commonly utilized tricks for both infostealing and gaining persistence in the infected host. The custom-built Evora and Sagerunex backdoors appear to rely on tempering with the Windows Registry service to gain persistence. To remain undetected for a longer period, both threats use names that mimic generic Windows services. In the case of the Catchamas infostealing malware, the threat has adopted the ‘NetAdapter’ name. This makes the threat sound like a genuine network component, and it is unlikely that the victim will notice anything out of the ordinary.

Thrip Attacks Continue

The latest reports on the group suggest that they continue to focus on key targets, including telecommunications companies, satellite communications companies, and military targets in Macau, Malaysia, Hong Kong, Vietnam, and other Eastern Asia countries.

Researchers say that groups conducting these kinds of attacks will stop – at least temporarily – after being exposed. That’s not been the case with Thrip. The group has continued their attacks as they continue to develop tools and tricks to conducting them. It is believed that the group persists in their attacks due to some kind of deadline or other time-sensitive matter. The group appears to be motivated by some important geo-sensitive issues and can’t afford to halt their attacks.

Thrip Creates Custom Backdoor

Thrip is known for its custom backdoor Hannotog. This backdoor is typically used in environments that use the built-in features of Windows Management Instrumentation. The group has been able to create a custom backdoor in a relatively short amount of time, but they’ve also found a way to hide it by using it in smart ways that could circumvent security controls.

No matter how Thrip conducts attacks, their goal is clear; to gather information from targets.

Thrip Targets High-Profile Victims

As well as sharing similar goals, Thrip attacks also share similar targets. Thrip has been targeting the same kind of organizations since they were first discovered in 2018. The group first caught the attention of researchers when they infected computers at a satellite communications company.

The group has continued to attack similar companies since then, including an attack in July 2019.

Thrip has been connected to at least 12 attacks since being noticed. Their attacks have included targets in maritime communications, media, and education companies, as well as attacks on military and satellite communications.

Thrip, like many such groups, leans towards the use of clean tools built into operating systems. Using these tools is essential for the group as their targets have included defense contractors, military groups, and satellite operators across several nations. Hackers must rely on clean tools to avoid detection on these networks and maintain a consistent presence. Thrip continues to target high-profile victims and continues to evolve their tools and operation procedures.

The Unique Backdoor Used by Thrip

Researchers learned a lot about Thrip and their hacking activity after discovering the Hannotog backdoor. The group has used the backdoor since early 2017. The first known Hannotog infection was used against a Malaysian organization. Symantec’s Targeted Attack Analytics Technology noticed the backdoor.

Researchers were able to use the information from the alert to find another attack by Thrip. Once these connections were made, it was easy to connect the group to other attacks and keep track of their movements.

The Hannotog backdoor gives Thrip a persistent presence on target networks. The backdoor has been employed alongside other tools, such as Sagerunex. Sagerunex is another custom backdoor; this one gives the group remote access to computers. The group is also known to use the custom trojan Cathamas, which steals information from target computers.

On top of all this, the group uses similar dual-use tools as other hacking groups such as archiving tools, proxy tools, and PowerShell exploits.

The Billbug Connection

Researchers connected Thrip to Billbug through their use of Sagerunex. Researchers believe that Sagerunex is likely an advanced version of Evora, a tool used by Billbug. The two tools share similar code, which is a sign one was made from the other.

Billbug is similar to Thrip in that they primarily operate across Southeast Asia. Billbug uses different tactics to Thrip. Billbug is known for its spear-phishing attacks on targets that infect computers through exploiting Microsoft Office and PDF documents. The group primarily targets government groups and the military. Given the similarities between the two groups, researchers lump them together and say that they are “one and the same” now.

By connecting the organizations and treating Thrip as a subset of Billbug, end users can better understand their overall range of targets and activity, the resources available to them, and their whole focus. Looking at the two groups as being part of a single whole gives researchers and defenders more information to determine if they could be a target and prepare for a potential attack.