What Is It?

Symantec has published the results of research into continuing attacks from an APT (Advanced Persistent Threat) group known as Thrip. It first reported on the activities of this group in June 2018, after Thrip had been targeting satellite communications, telecommunications, geospatial imaging and government/defense organizations, mainly in South East Asia. Attacks by Thrip utilized custom malware in addition to commonly used utilities such as PsExec, Powershell and the open source FTP client, WinSCP.

Since mid-2018, Thrip has continued to target organizations in South East Asia involved in maritime communications, media, education, military and additional satellite communications providers. Target organizations are located in Hong Kong, Indonesia, Macau, Malaysia, the Philippines and Vietnam.

The custom malware utilized in these attacks consists of two backdoors, designated Hannotog and Sagerunex. Additionally, Thrip uses new variants of an information stealer referred to as Catchamas. The Hannotog backdoor provides Thrip with a foothold into a network, Sagerunex offers remote access to systems within the network and Catchamas is selectively installed on systems identified as potentially containing information of value to the attackers.

Thrip also makes use of commonly used utilities, known as “living off the land,” to move laterally through network and perform reconnaissance. From an attacker’s point of view, this is to make use of a target system’s native tools that have numerous legitimate uses, such as Powershell, which is heavily used by Microsoft Windows administrators to perform system management tasks. In this way, less malware needs to be deployed, potentially reducing the likelihood of detection of the compromise, especially by legacy anti-virus solutions.

Symantec found that the Sagerunex appears to be an updated variant of the Evora backdoor malware used by the Billbug APT group. The group has been active for more than 10 years and like Thrip, has a history of executing attacks against organizations in South East Asia. Attribution can be an inexact science, but Symantec believe that Thrip and Billbug may be the same group or separate teams within the same group. Billbug has previously used spearphishing attacks with malicious PDF or Microsoft Office documents as its initial infection vector.

How Does It Propagate?

Though not specifically mentioned, it is likely that the initial infection vector occurs via malicious PDF or Microsoft documents, either as attachments or links within spearphishing emails.

When/How Did BluVector Detect It?

There are 25 samples publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected for an average of 21 months prior to their release.