Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. ^[1]

ID: G0076

Aliases: Thrip

Version: 1.0

Alias Descriptions

Name	Description
Thrip	^[1]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1048	Exfiltration Over Alternative Protocol	Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.^[1]
Enterprise	T1086	PowerShell	Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.^[1]
Enterprise	T1219	Remote Access Tools	Thrip used a cloud-based remote access software called LogMeIn for their attacks.^[1]

Software

ID	Name	Techniques
S0261	Catchamas	Application Window Discovery, Clipboard Data, Data Staged, Input Capture, Masquerading, Modify Registry, New Service, Screen Capture, System Network Configuration Discovery
S0002	Mimikatz	Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029	PsExec	Service Execution, Windows Admin Shares

References

Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.