The researchers eventually traced the hacking activity to computers physically located in China. Besides Southeast Asia, targets were also located in the US.
A little more than a year later, Symantec gathered new information that allowed researchers to determine that Thrip was effectively the same as a longer-existing group known as Billbug or Lotus Blossom. In the 15 months since the first write-up, Billbug had successfully hacked 12 organizations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. The victims included military targets, maritime communications, and media and education sectors.
Billbug used a combination of legitimate software and custom malware to burrow into its victims’ networks. Using legitimate software such as PsExec, PowerShell, Mimikatz, WinSCP, and LogMeIn allowed the hacking activities to blend in with normal operations in the compromised environments. The hackers also used the custom-built Catchamas info stealer and backdoors dubbed Hannotog and Sagerunex.
In the more recent campaign targeting the certificate authority and the other organizations, Billbug was back with Hannotog and Sagerunex, but it also used a host of new, legitimate software, including AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, and Port Scanner.
Tuesday’s post includes a host of technical details people can use to determine if they’ve been targeted by Billbug. Symantec is the security arm of Broadcom Software.