Since Symantec first exposed the Thrip group in 2018, the stealthy China-based espionage group has continued to mount attacks in South East Asia, hitting military organizations, satellite communications operators, and a diverse range of other targets in the region.
Many of its recent attacks have involved a previously unseen backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Analysis of the latter has revealed close links to another long-established espionage group called Billbug (aka Lotus Blossom). In all likelihood, Thrip and Billbug now appear to be one and the same.
Since Symantec last published on Thrip in June 2018, the group has attacked at least 12 organizations, all located within South East Asia. Its targets have been located in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.
The group has attacked a diverse range of targets over the past year, most notably military targets in two different countries. It has also attacked organizations in the maritime communications, media, and education sectors.
One of the most alarming discoveries made in the original Thrip research was that the group had targeted a satellite communications operator and seemed to be interested in the operational side of the company, looking for and infecting computers running software that monitored and controlled satellites. Significantly, Thrip has continued to target organizations in the satellite communications sector, with evidence of activity dating to as recently as July 2019.
New malware provides more leads
Much of this recent activity was uncovered by Symantec following the discovery of a Thrip tool, a backdoor called Hannotog which appears to have been used since at least January 2017. It was first detected in an organization in Malaysia, where it triggered an alert for suspicious WMI activity with Symantec’s Targeted Attack Analytics (TAA) technology, available in Symantec Endpoint Detection and Response (EDR).
Figure 1. Hannotag was first discovered when it triggered a Targeted Attack Analytics (TAA) alert for suspicious WMI activity
Hannotog is a custom backdoor which provides the attackers with a persistent presence on the victim’s network. It has been used in conjunction with several other Thrip tools, including Sagerunex, another custom backdoor providing remote access to the attackers, and Catchamas (Infostealer.Catchamas), a custom Trojan deployed on selected computers of interest and designed to steal information.
The Billbug link
Since Symantec first uncovered Thrip in 2018, the research found strong evidence linking it to the Billbug group.
Billbug is a long-established espionage group, active since at least January 2009. Similar to the Thrip sub-group, the wider Billbug group is known for specializing in operations against targets in South Asia.
Billbug’s targets are usually compromised by either spear-phishing emails or watering hole attacks. The group’s spear-phishing attacks have tended to use exploits in Microsoft Office and PDF documents to drop its malware onto victims’ computers. To date, many of the group’s targets have been governments or military organizations.
Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia. Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers.
Symantec’s TAA was the catalyst for both our initial discovery of Thrip in 2018 and the discovery of new tools and victims in 2019. Without TAA’s artificial intelligence, it is quite likely that the group’s activities may have gone undetected for a lot longer.
Symantec Endpoint Detection and Response (SEDR), which contains TAA technology, automatically detects Thrip-related activity.
In addition to SEDR, Symantec’s Managed Endpoint Detection and Response (MEDR) service leverages automated attack hunting provided by analytics as well as Symantec analyst security expertise to remotely investigate and contain incursions by adversaries such as Thrip in Symantec customer networks.
The following protections are also in place to protect customers against Thrip attacks: