The Chinese cyber-espionage group dubbed ‘Thrip’ targets entities in Southeast Asia, including military, defense, telecom companies, satellite communications, media, and educational organizations.
About the group
Thrip threat actor group has been active since 2013 targeting organizations in Southeast Asia, Hong Kong, Macau, Indonesia, the Philippines, Malaysia, and Vietnam.
Researchers at Symantec first published details about Thrip in 2018 and has now confirmed that the group continues to target Southeast Asia.
Malware used by Thrip
In recent attacks, the group was spotted using a previously unseen backdoor dubbed ‘Hannotog’ and another backdoor dubbed ‘Sagerunex’. Thrip was also spotted using an info-stealer dubbed ‘Catchamas’.
Apart from malware, Thrip also utilizes dual-use tools and living-off-the-land tactics such as credential dumping, archiving tools, powerShell, and proxy tools.
Connections with Billbug group
Researchers noted that the Sagerunex backdoor is an evolution of an older tool dubbed ‘Evora’, which has been used by the Billbug group.
After analyzing the strings and code flow between the two malware, researchers determined that,
“Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,” researchers concluded.