loader gif

Chinese cyber-espionage group Thrip targets organizations in South East Asia

Chinese cyber-espionage group Thrip targets organizations in South East Asia
  • In recent attacks, the APT group was spotted using a previously unseen backdoor dubbed ‘Hannotog’ and another backdoor dubbed ‘Sagerunex’.
  • Researchers noted that the Sagerunex backdoor is an evolution of an older tool dubbed ‘Evora’, which has been used by the Billbug group.

The Chinese cyber-espionage group dubbed ‘Thrip’ targets entities in Southeast Asia, including military, defense, telecom companies, satellite communications, media, and educational organizations.

About the group

Thrip threat actor group has been active since 2013 targeting organizations in Southeast Asia, Hong Kong, Macau, Indonesia, the Philippines, Malaysia, and Vietnam.

Researchers at Symantec first published details about Thrip in 2018 and has now confirmed that the group continues to target Southeast Asia.

Malware used by Thrip

In recent attacks, the group was spotted using a previously unseen backdoor dubbed ‘Hannotog’ and another backdoor dubbed ‘Sagerunex’. Thrip was also spotted using an info-stealer dubbed ‘Catchamas’.

  • Hannotog is a custom malware that has been used by Thrip since at least January 2017.
  • This backdoor enables the attackers to gain persistence on the victim’s network.

Apart from malware, Thrip also utilizes dual-use tools and living-off-the-land tactics such as credential dumping, archiving tools, powerShell, and proxy tools.

Connections with Billbug group

Researchers noted that the Sagerunex backdoor is an evolution of an older tool dubbed ‘Evora’, which has been used by the Billbug group.

After analyzing the strings and code flow between the two malware, researchers determined that,

  • The code for logging is the same for both Sagerunex and Evora
  • The logging string format is similar in both malware
  • The log name for both the malware starts with “\00EV”
  • Similarly, C&C communication code flows are also the same for both.

“Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,” researchers concluded.

loader gif