Evora

The Evora backdoor is one of the signature tools of the Thrip Advanced Persistent Threat (APT) group, a hacking organization best known for its threatening operations in South East Asia. The group's targets include, but are not limited to – companies and organizations in the military, communications, media and educational sectors. The hackers appear to specialize in long-term reconnaissance and information theft operations that allow them to gain illicit access to data.

The Thrip group's activity can be traced back to 2012, but they were first identified and analyzed thoroughly in 2018 – this revealed a lot of their tools and tactics, as well as more information about the possible profile of the group's primary targets. Evora has been used in several of Thrip's large-scale campaigns, but it seems that the backdoor has been reworked and is now being used under a new name – Sagerunex. Both Sagerunex and Evora share many similarities, and cybersecurity experts are confident that Sagerunex is nothing else than a new iteration of the Evora backdoor.

Infection with the Evora Backdoor Paves the Road for Additional Payloads

The Evora implant is likely to have been used as a first-stage payload, which would enable the attackers to collect data about the compromised host and determine their future actions. The backdoor provides the Thrip hackers with the potential of executing commands on the infected computer, collect information about running processes and services, and, naturally, deploy additional malware.

Thrip's espionage operations are still active, and the group has been using a wide array of malware on top of the Evora backdoor – their arsenal also includes the Catchamas infostealer and the Hannotog backdoor.