China-based advanced persistent threat group (APT) Thrip continues to pose a major threat to organizations in the satellite, telecommunications, and military sectors in Southeast Asia more than a year after Symantec first exposed its activities.
Far from being deterred by the exposure, the group has continued its attacks unabated on companies in the region. Since June 2018, Thrip has attacked at least 12 high-level targets in multiple countries, including Hong Kong, Indonesia, Malaysia, and the Philippines, Symantec said in an update on Thrip's activities this week.
Thrip, which is known for leveraging legitimate tools such as PsExec, PowerShell, and LogMeIn in its attacks, also has added more custom weapons to its arsenal. According to Symantec, the Chinese group recently began using a previously unseen backdoor called Hannotog to try and gain persistent remote access on compromised systems. Hannotog takes advantage of the built-in Windows Management Instrumentation (WMI) component in Windows as part of its execution on victim networks.
Thrip also is using Sagerunex, another backdoor, recent attacks, suggesting a strong link between Thrip and Billbug Group (aka Lotus Blossom), a well-known Chinese cyber-espionage group that has been operating since at least early 2009. Sagerunex appears to be a more evolved version of malware dubbed Evora, which Billbug has been known to use. Based on this and other available telemetry it appears Thrip is a subgroup of Billbug, Symantec said.
For organizations on its radar, Thrip presents a clear and present danger, says Vikram Thakur, technical director at Symantec.
"Attackers will continue to target organizations regardless of public exp ..
Support the originator by clicking the read the rest link below.
