ATK78

Presumed Origin: China < Back

Alias: Thrip

ATK78 (aka: Thrip by Symantec) is a Chinese cyber-espionage group targeting telecommunications, geospatial imaging end defense sectors in the United States and Southeast Asia. Thrip was uncovered in January 2018 by Symantec during a campaign targeting an important telecommunication operator in Southern Asia.

 

The day of its publication, the article from Symantec described five custom malwares: Rikamaru, Catchamas, Mycicil, Spedear and Syndicasec. But this article has been modified, maybe due to a mistake, and nothing remains but the Catchamas info stealer trojan. Because of these circumstances, the information presented here is with moderate confidence.

 

During the last wave of attack, which began in 2017, Thrip had targeted a satellite communications operator. The attack group seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites. This suggests to us that Thrip’s motives go beyond spying and may also include disruption.

 

The group uses several Live off the Land tools. It uses administrations tools available on the compromised machine to reach its goal. This technique has multiples advantages:

  • Reduced costs and development time of an attack.
  • The lack of custom malware makes the intrusion difficult to attribute
  • Usage of legitimate tools and legitimates protocol make the detection of the intrusion difficult to detect.

 

ATK78 uses PsExec, a legitimate Microsoft Sysinternal for lateral movement in the compromised network. PsExec is used to install the Catchamas trojan which allow the adversary to steal information. This malware is deployed on interesting compromised systems.

 

Symantec identified three computers based in China used to launch the attack. Thrip targeted a telecommunication satellite operator. It seemed to focus on systems executing the software used to control the satellites. It is possible that the objective was the perturbation besides the espionage. In the same way, when the group targeted a geospatial imaging organization, it focuses on computers executing the software "MapXtreme Geographic Information System", used to develop geospatial applications, Google Earth and Garmin imaging. The group targeted three organizations from Southeast Asia in the telecommunication sector and one in the defense sector. The nature of the attacks indicates that these organization where targeted, not their clients.

 

Geographic targets and the kind of targeted entities indicate a correlation with PRC interests in the context of Sino-US tensions in the China Sea especially with issues of sovereignty around

 

Spratly and Paracel islands. This suggest a direct link between Thrip Group and Chinese institutions.

 

The group therefore appears to act on a strategic framework defined by the Party, but also on immediate contextual indications. The group's nuisance capabilities and usual targets make it formidable.

 

We draw attention to thefact that we have chosen to treat only the case of the Thrip group under the ATK78, some sources also link it to the aliases Lotus Blossom, Lotus Panda, Spring Dragon. This state of affairs stems from the high level of sharing that exists between Chinese attackers and the structure of their cyber service leading to confusion in their identification.

 

References :

https://attack.mitre.org/groups/G0076/

https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

REFERENCES

Target sector

  • Aerospace
  • Communication
  • Defense
  • Education
  • High-Tech
  • Media
  • Satellites and Telecommunications

Target countries

  • Philippines
  • Taiwan
  • United States Of America
  • Viet Nam

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1010 - Application Window Discovery
  • T1016 - System Network Configuration Discovery
  • T1036 - Masquerading
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • T1050 - New Service
  • T1056 - Input Capture
  • T1059.001 - PowerShell
  • T1074 - Data Staged
  • T1086 - PowerShell
  • T1098 - Account Manipulation
  • T1112 - Modify Registry
  • T1113 - Screen Capture
  • T1115 - Clipboard Data
  • T1219 - Remote Access Software
  • T1219 - Remote Access Tools
  • T1555.004 - Windows Credential Manager
  • T1564.001 - Hidden Files and Directories

Motivation

  • Espionage
  • Information theft

Malwares

  • Catchamas
  • Hannotog
  • Mimikatz
  • Mycicil
  • Rikamanu
  • Sagerunex
  • Spedear
  • Syndicasec

Vulnerabilities