11 September 2019

Researchers found the link between China-Linked Thrip and Billbug groups

Researchers found the link between China-Linked Thrip and Billbug groups

A Chinese cyber-espionage group dubbed as “Thrip” by Symantec may actually be a part of a China-linked Billbug group that has been around for at least a decade. Symantec first released a report on the activity of the Thrip APT in June 2018, now the researchers confirm that despite the exposure the threat actor has continued to carry out attacks in South East Asia targeting military organizations, satellite communications operators and other entities of interest. Over the past year the group has attacked at least 12 organizations in the region, most of them have been located in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.

In its recent attacks the group has used a new backdoor called Hannotog (Backdoor.Hannotog), as well as another tool known as Sagerunex (Backdoor.Sagerunex), which appears to be connected to another long-established espionage group called Billbug (aka Lotus Blossom) that has been active since at least 2009. The Billbug group also specializes in operations against entities in South Asia, the range of its targets includes mainly governments or military organizations.

Based on discovered evidence the Thrip APT is now believed to be a subgroup of Billbug. Researchers linked the two groups based on similarities in the codes of Sagerunex and Evora, an older Billbug tool. The experts believe that Sagerunex is actually an evolution of Evora.

As for the Hannotog, it is a custom backdoor which appears to be in use since at least January 2017. The malware provides the attackers with a persistent presence on the victim’s network and is used in conjunction with several other tools, including Sagerunex and Catchamas, a custom Trojan designed to steal information from infected systems. Additionally, the Thrip APT leverages in its attacks dual-use tools and living-off-the-land tactics such as credential dumping, archiving tools, PowerShell, and proxy tools.

“Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia. Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,” the Symantec threat research team concluded.

Back to the list

Latest Posts

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019
Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

The new Emotet campaign targeеы Germany, the United Kingdom, Poland, Italy, and the USA.
17 September 2019