The China-linked APT group Thrip is continuing to target entities in Southeast Asia even after its activity was uncovered by Symantec.
Experts at Symantec first exposed the activity of the Chinese-linked APT Thrip in 2018, now the security firm confirms that cyber espionage group has continued to carry out attacks in South East Asia.
In June 2018, Symantec observed the Thrip group for the first time, at the time the crew has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.
The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.
The group has continued launching attacks against entities in Southeast Asia, including military, satellite communications, media and educational organizations. Symantec experts has identified a dozen victims in several countries, including Hong Kong, Macau, Indonesia, the Philippines, Malaysia and Vietnam.
The Thrip group used both custom malware and legitimate tools to hit its targets that continue to include defense contractors, telecoms companies, and satellite operators.
“Many of its recent attacks have involved a previously unseen backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex).” reads the analysis published by Symantec. “Analysis of the latter has revealed close links to another long-established espionage group called Billbug (aka Lotus Blossom). In all likelihood, Thrip and Billbug now appear to be one and the same.”
The recent Thrip campaigns involved a new backdoor tracked as Hannotog. This custom-built backdoor has been used since at least January 2017 to achieve persistence on compromised networks. The Chinese cyberspies also used other tools, including the Sagerunex backdoor and the Catchamas information stealer.
Sagerunex is a custom backdoor providing remote access to the attackers, while Catchamas is a custom-build Trojan used in targeted attacks to steal information.
The experts linked the Thrip APT to another group, Billbug (aka Lotus Blossom), by analyzing the Sagerunex backdoor. Researchers discovered that Sagerunex borrows code from an older Billbug tool dubbed Evora.
The targets of the two groups show significant overlap, Billbug also targeted organizations many military and government organizations in South Asia since at least January 2009. Security experts at Symantec speculate that Thrip is a sub-group of Billbug.
“What ties the two groups together is the Sagerunex backdoor. This malware appears to be an evolution of an older Billbug tool known as Evora.” continues the report. “By comparing strings and code flow between the two, we found that:
The code for logging in both is the same
The logging string format is similar, Evora is just more verbose
The log name for both starts with “\00EV”
The command and control (C&C) communication code flows are similar
Billbug is a long-established espionage group, active since at least January 2009. Similar to the Thrip sub-group, the wider Billbug group is known for specializing in operations against targets in South Asia.“
The link between Thrip and the Billbug groups confirms that the Chinese government is behind a broader range of espionage activity aimed at government and military in South Asia.
“Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia.” concludes the report.
“Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,”
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.