Written by Shannon Vavra

A Chinese cyber-espionage group that Symantec first exposed last June may actually be part of another group that has already been discovered, according to the company’s researchers.

The group, which Symantec last labeled as “Thrip,” has attacked targets in 12 organizations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines and Vietnam since it was first identified. Additionally, researchers say it has returned with a new custom-built tool.

“When they came back in October [or] November, we see [Thrip] using a brand new tool which is built from scratch [that] we’ve never seen before,” Vikram Thakur, a technical director at Symantec, told CyberScoop. “[The hackers] pause, retool, regroup and then they continue their mission.”

However, Symantec’s analysis of a backdoor the group has been using, known as Sagerunex, reveals Thrip is likely another threat group — known Billbug or Lotus Blossom — that has been operating against targets in South Asia for approximately a decade.

“We wrote about this group [Thrip] last year and at that point we thought this group was brand new because we couldn’t associate it with anybody else,” Thakur said. “We [found] some technical similarities to something that has existed for a number of years — these guys are not absolutely brand new like we had pointed out last year. They seem to be using an evolution of a tool that has almost been used for ten years at this point.”

In particular, Symantec assesses that Sagerunex has code extremely similar to a tool used by Lotus Blossom called Evora. Both use the same code for logging, similar logging string formats, similar command-and-control code flows, and both have log names that begin with a similar string of letters, numbers and symbols.

“These are … extremely specific commonalities between two malware families. We often find one commonality or two, but this time we found four,” Thakur said. “That’s why we actually think … Thrip is the same as another group that we call Billbug.”

What Thrip and Lotus Blossom do

Thrip has keyed in on military organizations, satellite communications operators, maritime communications organizations, media and parts of the education sectors in Southeast Asia, Symantec said. The company would not name which organizations were targeted or where they were located.

In 2019, it has expanded its reach in military and maritime targets, Thakur said. “Every single [targeted] organization is new compared to last year,” he said. “There’s no organization from the prior years.”

Like Thrip, Lotus Blossom also targets military organizations.

Although Symantec says that Thrip has been running its cyber-espionage campaigns out of three computers in China, Thakur said how the hackers reached their victims remains a mystery.

“We actually don’t know what the infection vector or the attack vector is,” Thakur said. “It could have been an email, it could have been a website, but we don’t know.”

The group prefers “living off the land” tactics, Thakur says, meaning it takes advantage of administrative tools or legitimate operating system features, like PowerShell or Windows Management Infrastructure (WMI). Maneuvers like those can keep activity from being flagged as suspicious by cybersecurity products.

Clues about motive

The new Thrip tool, which Symantec is calling “Hannotog,” may offer some clues about the group’s intentions. Hannotog allows attackers to establish persistence on victim networks and can work with Thrip’s other tools, such as Sagerunex or a Trojan called Catchamas that allows attackers to pilfer information.

Hannotog appears to have been in use as early as January of 2017, Symantec said.

Some other clues about Thrip may lie in how Lotus Blossom operates. Lotus Blossom tends to use spearphishing as an initial attack vector to dupe victims into clicking on decoy documents that contain exploit code for a Microsoft Office vulnerability, CVE-2012-0158.