Thrip

Thrip is Advanced Persistent Threat (APT) that specializes in targeting military, government, and communications entities in Southeast Asia. The threat actor's hacking efforts include deploying custom backdoor Trojans and spyware, along with the additional support of localized tools, for surveillance over compromised networks. Users should protect themselves against traditional phishing lures and website-based attacks and use anti-malware products as appropriate for deleting Thrip's software.

Observing BillBug on a Work Deadline

What's becoming likely to be categorized as a sub-group of the previously-known Billbug hackers' group is remaining active diligently despite some unwanted publicity. This smaller collective under Billbug, Thrip, uses a similar methodology and almost identical Trojan weaponry to the older group, which makes the relationship between the two practically a certainty. In Thrip's case, the attack campaigns are targeting some of the most sensitive networks in the world in Southeast Asia, particularly.

Thrip targets systems related to government, military, and even satellite communications entities by leveraging phishing e-mail lures or watering hole websites, as is appropriate. Once inside, the hackers may drop any of several customized tools: the Hannotog backdoor Trojan, the Sagerunex backdoor Trojan, or Catchamas (which collects passwords and similar data), for example. The resemblance that Sagerunex betrays to the past Billbug's Evora is one of the highest points of similarity, if far from the only one, between the two threat actors. All operations suggest a desire to exercise long-term surveillance over the PC and its network.

Unfortunately, even the absence of Trojans, spyware, or RATs doesn't promise any safety to at-risk systems. Thrip also uses a similar LOLbin (Living-Off-the-Land) style strategy that incorporates default, 'safe' software, and features as part of the attack toolkit for avoiding detection. The philosophy isn't new, and malware experts note similarities in OilRig's use of the ZeroCleare wiper and the Nodersok botnet previously. For Thrip, such methods are, however, particularly advantageous for 'lying low' within highly-sensitive environments, such as networks responsible for managing satellites.

Thrip remains highly active and, for now, undeterred by their public outing and the analysis of their threats by significant vendors in the cyber-security sector.

Keeping Thrip's Throat Dry of Crucial Communications Data

Like most of the APT groups with behavior that implies government funding or administration, Thrip favors opening infection vectors through one of two, well-explored means. One infection attempt uses drive-by-downloads through watering-hole websites. The second one, instead, demands user interaction through phishing lures, usually, over e-mail messages. Malware experts can recommend general precautionary steps against both of them, as follows:

• Patching software will cut many of the vulnerabilities that attackers use for gaining access to Web servers or infecting the servers' natural traffic afterward.
• Disabling exploitable Web content also can reduce the surface of attack area available to any threat actors while the user is browsing the Web. 'Exploitable' may include Flash, Java, JavaScript (and other scripts, in general), pop-ups and advertisements.
• Phishing e-mails may conceal corrupted Web addresses in their links. Always check URLs before clicking on links and, if possible, navigate to the site manually.
• Attached files also are sources of danger with the potential for dropping Trojans and other threats. Users should avoid enabling macros (AKA 'advanced content') while viewing documents or spreadsheets, especially.

Symptomatic behaviors from backdoor Trojans under the degree of proficiency that Thrip displays are highly unusual. Users should trust their anti-malware services for flagging these threats and removing Thrip's Trojans when necessary and re-secure their accounts afterward.

While many threat actors take 'time off' from their criminal careers after too much exposure, Thrip has done little other than update their tools and tactics. What that means for Asia's governments, satellites, and armies, is a mystery awaiting resolution.