Chinese APT groups are always very active, experts at Symantec have tracked a new APT group named Thrip that has breached the systems of satellite operators, telecommunications companies and defense contractors in the United States and Southeast Asia.
The Thrip group has been active since 2013, but this is the first time Symantec publicly shared details of its activities.
“We’ve been monitoring Thrip since 2013 when we uncovered a spying campaign being orchestrated from systems based in China. Since our initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. ” reads the analysis published by Symantec.
Thrip APT used a combination of custom malware and legitimate tools in its attacks, the list of victims is long and include a satellite communications operator.
The hackers targeted devices involved in operations and infected computers running software that monitors and controls satellites, this circumstance suggests the attackers may also interested in sabotage.
Another victim of the group is a company specializing in geospatial imaging and mapping.
“[Thrip] targeted computers running MapXtreme GIS (Geographic Information System) software which is used for tasks such as developing custom geospatial applications or integrating location-based data into other applications. It also targeted machines running Google Earth Server and Garmin imaging software.” continues the analysis.
“The satellite operator wasn’t the only communications target Thrip was interested in. The group had also targeted three different telecoms operators, all based in Southeast Asia.”
The group also targeted three telecoms firms in Southeast Asia and a defense contractor.
The arsenal of the group includes the data stealer Trojan.Rikamanu and its evolution Infostealer.Catchamas that implements more sophisticated data strealing features and evasion capabilities.
The APT group also used the Trojan.Mycicil, a keylogger that is available for sale on Chinese underground marketplaces, and the Backdoor.Spedear and Trojan.Syndicasec malware.
The Thrip APT also many legitimate tools, including the Windows SysInternals utility PSExec, PowerShell, Mimikatz, and the LogMeIn remote access software.
Further details, including IoCs are reported in the analysis published by Symantec.
(Security Affairs – Thrip APT, cyberespionage)