A Chinese cyber-espionage group dubbed as “Thrip” by Symantec may actually be a part of a China-linked Billbug group that has been around for at least a decade. Symantec first released a report on the activity of the Thrip APT in June 2018, now the researchers confirm that despite the exposure the threat actor has continued to carry out attacks in South East Asia targeting military organizations, satellite communications operators and other entities of interest. Over the past year the group has attacked at least 12 organizations in the region, most of them have been located in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.
In its recent attacks the group has used a new backdoor called Hannotog (Backdoor.Hannotog), as well as another tool known as Sagerunex (Backdoor.Sagerunex), which appears to be connected to another long-established espionage group called Billbug (aka Lotus Blossom) that has been active since at least 2009. The Billbug group also specializes in operations against entities in South Asia, the range of its targets includes mainly governments or military organizations.
Based on discovered evidence the Thrip APT is now believed to be a subgroup of Billbug. Researchers linked the two groups based on similarities in the codes of Sagerunex and Evora, an older Billbug tool. The experts believe that Sagerunex is actually an evolution of Evora.
As for the Hannotog, it is a custom backdoor which appears to be in use since at least January 2017. The malware provides the attackers with a persistent presence on the victim’s network and is used in conjunction with several other tools, including Sagerunex and Catchamas, a custom Trojan designed to steal information from infected systems. Additionally, the Thrip APT leverages in its attacks dual-use tools and living-off-the-land tactics such as credential dumping, archiving tools, PowerShell, and proxy tools.
“Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia. Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,” the Symantec threat research team concluded.