Hannotog is a backdoor Trojan deployed by Thrip, a China-based threat actor. Hannotog can let attackers control computers through executing system commands, and at-risk targets include government, military and communications networks in Asia. Let credible anti-malware products determine the appropriate methods for uninstalling Hannotog, which shows few symptoms and may be undetectable by users while present.
Backdoors Cracking Open in the Most Threatening of Places
While inadequately-secured Trojan campaigns may out themselves almost instantly, as in the case of some botnets, state-sponsored hackings are another matter. The apparent Billbug branch of Thrip, a group of specialized, China-based hackers, is using Hannotog backdoor Trojans and other tools, both White and Black Hat, for achieving their goals. With Hannotog, they've been finding success in their goals for three years running.
Since 2017, campaigns using Hannotog have gained access to the networks of sat-com operators, governments, and their military branches, with a regional focus on Southeast Asian nations like Indonesia and Vietnam. Infection methods that Thrip prefers are e-mail attacks – also known as phishing lures – with attachments or links, along with occasional watering-hole efforts for infecting a vulnerable website's traffic. The payload can include more than just Hannotog, as malware experts also clarify on the dropped threats: spyware like Catchamas, and Sagerunex (a backdoor Trojan, like Hannotog).
Hannotog is a Trojan that's under the purview of Thrip solely and provides the hackers with long-term system persistence options. Hannotog coordinates this role with the help of Sagerunex for delivering broader remote accessibility and Catchamas for collecting passwords and credentials for account hijackings. Users should treat Hannotog as equally capable as similar backdoor Trojans at basic attack tasks like executing system commands, transferring files, or disabling security features and applications like the Task Manager.
The Open Doors Leading to Invisible Drafts
One aspect of Hannotog's deployment should raise concern among all workers depending on threat-flagging technology like conventional anti-virus scanners excessively. Thrip often makes use of LOLbin (living-off-the-land) and multipurpose software, such as Windows PowerShell. By doing so, the attackers can seize control over systems and accounts without requiring Hannotog, or a similar Trojan's presence on each PC. This tactic is likely to cement surveillance opportunities in military networks and other environments with strict rule-sets concerning allowable files, network traffic and software.
As always, professional anti-malware products have the best chances of removing Hannotog, and all similar backdoor Trojans, safely from already-infected computers. The Trojan is Windows-specific, although its deployment has broad implications for any associated devices.
Hannotog is a backdoor Trojan whose payload includes features not yet available for an in-depth analysis. However, it's all too transparent that it's another monitoring-software doing China – or a threat actor that wishes to suggest such – the favor of monitoring foreign computer networks.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Hannotog may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.