Chinese APT Group 'Thrip' Powers AheadHackers Have Attacked at Least 12 Targets Since 2018, Symantec Researchers Say
A Chinese advanced persistent threat group dubbed Thrip that Symantec researchers uncovered in 2018 has been undeterred by the exposure, attacking at least a dozen organizations in Southeast Asia over the past year, the researchers say in a recent report.
In addition, Symantec researchers found this group using a previously undetected custom backdoor called "Hannotog.”
Thrip appears to be part of another nation-state backed hacking gang called Billbug or Lotus Blossom that has been operating in Southeast Asia for the past 10 years, the researchers say.
The new report paints a picture of a threat group that is staying focused on its primary targets – including military organizations, satellite communications operators and telecommunications companies in Eastern Asian countries that include Macau, Indonesia, Vietnam, Hong Kong and Malaysia.
"Usually groups that target sensitive organizations pause activities after their activity is publicly exposed," Vikram Thakur, technical director for Symantec Security Response, tells Information Security Media Group.
"Thrip appears to have continued their attack campaigns, albeit developing and using updated malware tools. We believe the lack of a substantial break in activity can be attributed to a time-sensitive mandate. We do not have insight into Thrip’s end goal but are certain it is driven by geo-sensitive matters of national importance."
While Hannotog is a custom backdoor, it is typically executed in environments that leverage a built-in feature of Windows Management Instrumentation, Thakur says.
"Thrip has not only been able to generate a new backdoor in the extremely short run, but also attempted to hide their presence by executing the malicious files in ways that might circumvent some security controls in target networks," Thakur says. "Their intentions remain clear - continue gathering desired information from sensitive networks, whatever the resource requirements may be."
Thrip continues to attack the same types of organizations as when Symantec researchers first discovered the group in June 2018. What caught the researchers' attention last year was the group’s targeting of a satellite communications operator, infecting computers that included software designed to monitor and control satellites.
Attacks on similar companies have continued this year, with one being detected as recently as July, researchers say in the new report.
The 12 attacks that Symantec attributes to Thrip since it was first detected have spanned targets in maritime communications, education and the media in addition to the military and satellite communications, researchers say.
"Thrip seems to be leaning, like most other targeted attacking entities, toward usage of clean tools in-built into the operating system," Thakur says. "This is critical for Thrip as their targets over the past couple years have spanned satellite operators, defense contractors and militaries of countries. Maintaining presence on such sensitive networks requires the attackers to avoid reliance on custom, low-prevalence malicious files. In one sense, Thrip has evolved in their tools and procedures over the past year. Their targets continue to remain high-profile by anyone's standards."
Previously Unseen Backdoor
Symantec researchers uncovered much of Thrip’s recent activity after discovering the previously unknown Hannotog backdoor, which they say has been in use since at least January 2017 and was first detected at an organization in Malaysia. The backdoor malware trigged an alert in Symantec’s Targeted Attack Analytics technology around suspicious Windows Management Instrumentation activity.
Symantec’s researchers then were able to find other organizations attacked by Thrip and track the group's recent activities, according to the report.
Hannotog gives the cybercriminals a persistent presence on the target's network. It has been used with other tools tied to Thrip, including another custom backdoor called Sagerunex that provides remote access and Catchamas, a custom Trojan malware put on selected computers and used to steal information, the researchers say.
Thrip also leverages several dual-use malicious tools, including archiving tools, PowerShell exploits and proxy tools, the researchers say.
Thrip was linked to the hacking group Billbug through the Sagerunex backdoor, which the researchers say seems to have evolved from an older Billbug tool known as Evora. The researchers compared strings and code flow between the two malware tools and found a number of similarities.
Like Thrip, Billbug operates in Southeast Asia. Billbug uses spear-phishing or watering hole attacks to compromise targets, leveraging exploits in Microsoft Office and PDF documents to deploy the malware. Its targets have been primarily governments and military organizations. Based on all the similarities between Thrip and Billbug, the researcher conclude, "in all likelihood, Thrip and Billbug now appear to be one and the same."
Thankur notes: "Knowledge of Thrip being a subgroup of Billbug allows end users the opportunity to understand the superset of targets over a longer period of time, the capabilities and resources available to the overarching group, and the focus of the attacking team as a whole. Ultimately, network defenders can analyze a lot more data to determine the risk Thrip poses to their organization."