Sagerunex

Sagerunex is a backdoor Trojan whose activity was first spotted in 2018 – cybersecurity experts noticed many similarities between Sagerunex and the Evora backdoor, another piece of malware that was a prime part of the arsenal of Thrip, a cybercrime organization operating in South East Asia. Both Evora and Sagerunex share similar action-logging techniques, and they also use nearly identical techniques to communicate with their Command and Control server. Last but not least, both backdoors have been found on networks that fit the profile of Thrip's usual targets, so there are plenty of reasons to suspect that Sagerunex is nothing else than an evolved version of Evora.

Sageruenx Backdoor is Thrip's Upgrade to Evora

The functionality of the Sagerunex implant is limited relatively, but it provides its operators with all the features they need to extract data from the infected host, as well as install any 3rd-party hacking tools they may need to fulfill their plans. The backdoor gains persistence by using one of the classic techniques – it makes changes to the Windows Registry to ensure that it will run when Windows starts. Some of the active variants of the Sagerunex were hiding under the name 'svchost.exe' on the infected system – this is a legitimate process related to many of Windows' core services.

The Sagerunex backdoor is being controlled via commands sent from a remote Command and Control server – the attackers are able to use this connectivity to execute shell commands, as well as download and run additional files on the infected computer.

Organizations can protect their networks from threats like the Sagerunex by enforcing stricter cybersecurity policies, as well as investing in reliable firewall services and anti-virus protection.