Thrip

Thrip, also known as Billbug or Lotus Blossom, is a Chinese-affiliated Advanced Persistent Threat (APT) group that has been active since 2009. The group is primarily focused on espionage activities and targets entities in the communications, geospatial imaging, and defense sectors, both in the United States and Southeast Asia. Thrip's recent operations involved compromising a digital certificate authority in an Asian country, likely using the stolen certificates to sign malware deployed against government agencies over the last six months. The group employs a blend of custom malware such as Infostealer.Catchamas and "living off the land" tactics - using legitimate tools already present on the system for malicious purposes - in their operations. Despite attempts at camouflage, Thrip's cover was blown due to its use of PsExec, a Microsoft Sysinternals tool often used by administrators but also utilized by attackers for lateral movement within networks. This blend of techniques makes Thrip a complex and persistent threat actor, capable of significant cyber-espionage campaigns. Protection against Thrip's activities includes file-based protection, while customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received detailed reports on Thrip's methods and how to detect and thwart them. Additionally, the Malware Analysis Appliance can detect activity associated with Thrip. As Thrip continues to evolve its tactics, it remains crucial for organizations to maintain robust cybersecurity measures and stay updated on the latest threat intelligence.