Symantec uncovered the link between China-Linked Thrip and Billbug groups

The China-linked APT group Thrip is continuing to target entities in Southeast Asia even after its activity was uncovered by Symantec.

Experts at Symantec first exposed the activity of the Chinese-linked APT Thrip in 2018, now the security firm confirms that cyber espionage group has continued to carry out attacks in South East Asia.

In June 2018, Symantec observed the Thrip group for the first time, at the time the crew has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.

The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.

The group has continued launching attacks against entities in Southeast Asia, including military, satellite communications, media and educational organizations. Symantec experts has identified a dozen victims in several countries, including Hong Kong, Macau, Indonesia, the Philippines, Malaysia and Vietnam.

The Thrip group used both custom malware and legitimate tools to hit its targets that continue to include defense contractors, telecoms companies, and satellite operators.

“Many of its recent attacks have involved a previously unseen backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex).” reads the analysis published by Symantec. “Analysis of the latter has revealed close links to another long-established espionage group called Billbug (aka Lotus Blossom). In all likelihood, Thrip and Billbug now appear to be one and the same.”

The recent Thrip campaigns involved a new backdoor tracked as Hannotog. This custom-built backdoor has been used since at least January 2017 to achieve persistence on compromised networks. The Chinese cyberspies also used other tools, including the Sagerunex backdoor and the Catchamas information stealer.

Sagerunex is a custom backdoor providing remote access to the attackers, while Catchamas is a custom-build Trojan used in targeted attacks to steal information.

The experts linked the Thrip APT to another group, Billbug (aka Lotus Blossom), by analyzing the Sagerunex backdoor. Researchers discovered that Sagerunex borrows code from an older Billbug tool dubbed Evora.

The targets of the two groups show significant overlap, Billbug also targeted organizations many military and government organizations in South Asia since at least January 2009. Security experts at Symantec speculate that Thrip is a sub-group of Billbug.

“What ties the two groups together is the Sagerunex backdoor. This malware appears to be an evolution of an older Billbug tool known as Evora.” continues the report. “By comparing strings and code flow between the two, we found that:

• The code for logging in both is the same
• The logging string format is similar, Evora is just more verbose
• The log name for both starts with “\00EV”
• The command and control (C&C) communication code flows are similar

Billbug is a long-established espionage group, active since at least January 2009. Similar to the Thrip sub-group, the wider Billbug group is known for specializing in operations against targets in South Asia.“

The link between Thrip and the Billbug groups confirms that the Chinese government is behind a broader range of espionage activity aimed at government and military in South Asia.

“Thrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a wide range of targets in South East Asia.” concludes the report.

“Its link to the Billbug group puts its activities into context and proves its attacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments, armed forces, and communications providers,”

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On