Home Malware Programs Malware Thrip


Posted: March 30, 2020

Thrip is Advanced Persistent Threat (APT) that specializes in targeting military, government, and communications entities in Southeast Asia. The threat actor's hacking efforts include deploying custom backdoor Trojans and spyware, along with the additional support of localized tools, for surveillance over compromised networks. Users should protect themselves against traditional phishing lures and website-based attacks and use anti-malware products as appropriate for deleting Thrip's software.

Observing BillBug on a Work Deadline

What's becoming likely to be categorized as a sub-group of the previously-known Billbug hackers' group is remaining active diligently despite some unwanted publicity. This smaller collective under Billbug, Thrip, uses a similar methodology and almost identical Trojan weaponry to the older group, which makes the relationship between the two practically a certainty. In Thrip's case, the attack campaigns are targeting some of the most sensitive networks in the world in Southeast Asia, particularly.

Thrip targets systems related to government, military, and even satellite communications entities by leveraging phishing e-mail lures or watering hole websites, as is appropriate. Once inside, the hackers may drop any of several customized tools: the Hannotog backdoor Trojan, the Sagerunex backdoor Trojan, or Catchamas (which collects passwords and similar data), for example. The resemblance that Sagerunex betrays to the past Billbug's Evora is one of the highest points of similarity, if far from the only one, between the two threat actors. All operations suggest a desire to exercise long-term surveillance over the PC and its network.

Unfortunately, even the absence of Trojans, spyware, or RATs doesn't promise any safety to at-risk systems. Thrip also uses a similar LOLbin (Living-Off-the-Land) style strategy that incorporates default, 'safe' software, and features as part of the attack toolkit for avoiding detection. The philosophy isn't new, and malware experts note similarities in OilRig's use of the ZeroCleare wiper and the Nodersok botnet previously. For Thrip, such methods are, however, particularly advantageous for 'lying low' within highly-sensitive environments, such as networks responsible for managing satellites.

Thrip remains highly active and, for now, undeterred by their public outing and the analysis of their threats by significant vendors in the cyber-security sector.

Keeping Thrip's Throat Dry of Crucial Communications Data

Like most of the APT groups with behavior that implies government funding or administration, Thrip favors opening infection vectors through one of two, well-explored means. One infection attempt uses drive-by-downloads through watering-hole websites. The second one, instead, demands user interaction through phishing lures, usually, over e-mail messages. Malware experts can recommend general precautionary steps against both of them, as follows:

  • Patching software will cut many of the vulnerabilities that attackers use for gaining access to Web servers or infecting the servers' natural traffic afterward.
  • Disabling exploitable Web content also can reduce the surface of attack area available to any threat actors while the user is browsing the Web. 'Exploitable' may include Flash, Java, JavaScript (and other scripts, in general), pop-ups and advertisements.
  • Phishing e-mails may conceal corrupted Web addresses in their links. Always check URLs before clicking on links and, if possible, navigate to the site manually.
  • Attached files also are sources of danger with the potential for dropping Trojans and other threats. Users should avoid enabling macros (AKA 'advanced content') while viewing documents or spreadsheets, especially.

Symptomatic behaviors from backdoor Trojans under the degree of proficiency that Thrip displays are highly unusual. Users should trust their anti-malware services for flagging these threats and removing Thrip's Trojans when necessary and re-secure their accounts afterward.

While many threat actors take 'time off' from their criminal careers after too much exposure, Thrip has done little other than update their tools and tactics. What that means for Asia's governments, satellites, and armies, is a mystery awaiting resolution.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Thrip may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.