Thrip
Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1]
ID: G0076
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[1] |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.[1] |
Enterprise | T1219 | Remote Access Software |
Thrip used a cloud-based remote access software called LogMeIn for their attacks.[1] |