Thrip Threat Group: An Insight Into The Cyber-espionage Group’s Operations

• The threat group primarily targets entities in Southeast Asia, including military, defense, telecom companies, geospatial imaging systems, satellite communications, media, and educational organizations.
• The malicious tools used by Thrip includes Rikamanu info-stealer malware, Mycicil keylogger, Spedear backdoor, Hannotog backdoor, Sagerunex backdoor, and Catchamas info-stealer malware.

About Thrip

Thrip is a Chinese cyber-espionage group that has been active since 2013. The APT group uses “living off the land” techniques to evade detection.

The group’s targets

• The threat group primarily targets entities in Southeast Asia, including military, defense, telecom companies, geospatial imaging systems, satellite communications, media, and educational organizations.
• It has targeted computers running MapXtreme Geographic Information System (GIS) and machines running Google Earth Server and Garmin imaging software.
• In 2018, the cyber-espionage group was spotted targeting a satellite communications operator and a satellite imaging and mapping entity.
• It has also targeted several organizations in the United States, Hong Kong, Macau, Indonesia, the Philippines, Malaysia, and Vietnam.

The tools used by the group

The malicious tools used by Thrip includes Rikamanu info-stealer malware, Mycicil keylogger, Spedear backdoor, Hannotog backdoor, Sagerunex backdoor, Syndicasec, and Catchamas info-stealer malware.

• Rikamanu malware is capable of stealing system information and credentials.
• Hannotog is a custom malware that has been used by Thrip since at least January 2017. This backdoor enables the attackers to gain persistence on the victim’s network.
• Syndicasec is also a custom malware which has been used in the threat group’s previous campaigns.
• Apart from malware, Thrip also utilizes dual-use tools and living-off-the-land tactics such as credential dumping, archiving tools, powerShell, and proxy tools.
• This includes PsExec, PowerShell, Mimikatz, WinSCP, and LogMeIn.

Connection with other threat groups

Researchers noted that the Sagerunex backdoor used by Thrip is an evolution of an older tool dubbed ‘Evora’, which has been used by the Billbug group. After analyzing the strings and code flow between the two malware, researchers determined that,

• The code for logging is the same for both Sagerunex and Evora
• The logging string format is similar in both malware
• The log name for both the malware starts with “\00EV”
• Similarly, C&C communication code flows are also the same for both.