China (Thrip): In June, a new group from China, who was given the name Thrip by researchers at Symantec, was seen attacking organizations in Hong Kong, Malaysia, Vietnam and the Philippines. They have now returned with a custom tool that may link them to the previously known Chinese group Lotus Blossom. The group has continued its target of Southeast Asia including military, satellite communications, media and educational organizations. During the most recent analysis of the group’s attacks, a new backdoor tool was discovered, which the group has been using since at least January of 2017. The tool called Hannotog, is a custom backdoor that allows attackers to remain persistent on a system and is used alongside other tools like the Catchamas information stealer and Sagerunex backdoor. Sagerunex provides remote access to systems and helped researchers link Thrip to Lotus Blossom. Lotus Blossom also carries out attacks in Southern Asia including military and government organizations.
Analyst Notes
Thrip is now believed to be a subgroup of Lotus Blossom, both active in the same geo-location. The group was linked based on the similarities in the Sagerunex and Evora code and upon further analysis, they believe that Sagerunex is an evolution of Evora.
