TAA leverages artificial intelligence in order to comb through Symantec’s vast data and spot patterns associated with targeted attacks. It is capable of automatically flagging incidents that would otherwise have taken thousands of hours of analyst time to identify.

TAA allowed us to uncover Hannotog and from there, our expert threat hunting team built out a profile of the adversary’s tools, tactics, and procedures. This allowed us to identify other organizations that have been compromised by Thrip, allowing us to build up a complete picture of the group’s most recent activities.

Hannotog is a custom backdoor which provides the attackers with a persistent presence on the victim’s network. It has been used in conjunction with several other Thrip tools, including Sagerunex, another custom backdoor providing remote access to the attackers, and Catchamas (Infostealer.Catchamas), a custom Trojan deployed on selected computers of interest and designed to steal information.

In addition to custom malware, Thrip has made extensive use of dual-use tools and living-off-the-land tactics. These include:

Credential dumping

Archiving tools

PowerShell

Proxy tools

The Billbug link

Since Symantec first uncovered Thrip in 2018, we’ve found strong evidence linking it to the Billbug group.

What ties the two groups together is the Sagerunex backdoor. This malware appears to be an evolution of an older Billbug tool known as Evora. By comparing strings and code flow between the two, we found that:

The code for logging in both is the same

The logging string format is similar, Evora is just more verbose

The log name for both starts with “\00EV”

The command and control (C&C) communication code flows are similar

Billbug is a long-established espionage group, active since at least January 2009. Similar to the Thrip sub-group, the wider Billbug group is known for specializing in operations against targets in South Asia.

Billbug’s targets are usually compromised by either spear-phishing emails or watering hole attacks. The group’s spear-phishing attacks have tended to use exploits in Microsoft Office and PDF documents to drop its malware onto victims’ computers. To date, many of the group’s targets have been governments or military organizations.

Wider picture

Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia. Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers.

Symantec’s TAA was the catalyst for both our initial discovery of Thrip in 2018 and the discovery of new tools and victims in 2019. Without TAA’s artificial intelligence, it is quite likely that the group’s activities may have gone undetected for a lot longer.

Protection/Mitigation

Symantec Endpoint Detection and Response (SEDR), which contains TAA technology, automatically detects Thrip-related activity.

In addition to SEDR, Symantec’s Managed Endpoint Detection and Response (MEDR) service leverages automated attack hunting provided by analytics as well as Symantec analyst security expertise to remotely investigate and contain incursions by adversaries such as Thrip in Symantec customer networks.

The following protections are also in place to protect customers against Thrip attacks:

File-based protection

Threat Intelligence

Customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received reports on Thrip and Billbug, which detail methods of detecting and thwarting activities of this group.

Indicators of Compromise