Hannotog
Hannotog is a backdoor Trojan deployed by Thrip, a China-based threat actor. Hannotog can let attackers control computers through executing system commands, and at-risk targets include government, military and communications networks in Asia. Let credible anti-malware products determine the appropriate methods for uninstalling Hannotog, which shows few symptoms and may be undetectable by users while present.
Backdoors Cracking Open in the Most Threatening of Places
While inadequately-secured Trojan campaigns may out themselves almost instantly, as in the case of some botnets, state-sponsored hackings are another matter. The apparent Billbug branch of Thrip, a group of specialized, China-based hackers, is using Hannotog backdoor Trojans and other tools, both White and Black Hat, for achieving their goals. With Hannotog, they've been finding success in their goals for three years running.
Since 2017, campaigns using Hannotog have gained access to the networks of sat-com operators, governments, and their military branches, with a regional focus on Southeast Asian nations like Indonesia and Vietnam. Infection methods that Thrip prefers are e-mail attacks – also known as phishing lures – with attachments or links, along with occasional watering-hole efforts for infecting a vulnerable website's traffic. The payload can include more than just Hannotog, as malware experts also clarify on the dropped threats: spyware like Catchamas, and Sagerunex (a backdoor Trojan, like Hannotog).
Hannotog is a Trojan that's under the purview of Thrip solely and provides the hackers with long-term system persistence options. Hannotog coordinates this role with the help of Sagerunex for delivering broader remote accessibility and Catchamas for collecting passwords and credentials for account hijackings. Users should treat Hannotog as equally capable as similar backdoor Trojans at basic attack tasks like executing system commands, transferring files, or disabling security features and applications like the Task Manager.
The Open Doors Leading to Invisible Drafts
One aspect of Hannotog's deployment should raise concern among all workers depending on threat-flagging technology like conventional anti-virus scanners excessively. Thrip often makes use of LOLbin (living-off-the-land) and multipurpose software, such as Windows PowerShell. By doing so, the attackers can seize control over systems and accounts without requiring Hannotog, or a similar Trojan's presence on each PC. This tactic is likely to cement surveillance opportunities in military networks and other environments with strict rule-sets concerning allowable files, network traffic and software.
Users should prevent Hannotog infections and related attacks by monitoring e-mails and website activity. Software patches can disable the vulnerabilities available to Thrip's misuse, and deactivating features like Flash, JavaScript, and document macros will further limit the opportunities for drive-by-downloads. Victims may receive custom-crafted content specific to them and including references to their workplace or related industries.
As always, professional anti-malware products have the best chances of removing Hannotog, and all similar backdoor Trojans, safely from already-infected computers. The Trojan is Windows-specific, although its deployment has broad implications for any associated devices.
Hannotog is a backdoor Trojan whose payload includes features not yet available for an in-depth analysis. However, it's all too transparent that it's another monitoring-software doing China – or a threat actor that wishes to suggest such – the favor of monitoring foreign computer networks.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.