A new hacker team labelled Thrip by cyber security company Symantec has successfully infiltrated satellite, defense, and telecom companies using a “living off the land” attack. A living off the land attack uses common computer utilities that attackers use to conduct “undetectable” activities on the network. Because the attacker is using common utilities, companies may not ever find the activity as malicious. Living off the land attacks also make it harder for security professionals to attribute the attack to a specific person/group. Symantec concluded that the most likely motive for the attack was espionage and disruption.
Thrip’s activities were discovered through the use of Symantec’s Targeted Attack Analytics software. This application uses AI and machine learning to find potential risks and generates a report with a threat level indicator to alert users to a problem. It is particularly impressive that this tool was able to detect legitimate tools being used by an illegitimate party. Symantec claims that this process would have taken thousands of hours of human analyst time and that the software was especially good at finding “needle in the haystack” attacks like this one.
The common utilities that Thrip used for this attack included PsExec, Powershell, Mimikatz, WinSCP, and LogMeIn. PsExec and Powershell were used to download and move across systems on the network. Mimikatz is a free tool that allows recovery of passwords and changing privileges. WinSCP is an open source FTP client that is normally used for creating backups for remote websites but in this case, Thrip used the client to export data from the infected companies. Finally, LogMeIn is a tool used to gain remote access to computers. LogMeIn may have been used to gain access to pre-existing accounts or if the tool was installed after the fact.
Symantec discovered that Thrip was also installing a trojan called Infostealer.Catchamas onto some computers. The malware is used to steal information from those computers and send it to a remote location.
Link to the original blog post by Symantec can be found HERE