Skip to content

G0076 Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as “living off the land” techniques. 1

Item Value
ID G0076
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.1
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Thrip has obtained and used tools such as Mimikatz and PsExec.1
enterprise T1219 Remote Access Software Thrip used a cloud-based remote access software called LogMeIn for their attacks.1

Software

ID Name References Techniques
S0261 Catchamas 1 Application Window Discovery Clipboard Data Windows Service:Create or Modify System Process Local Data Staging:Data Staged Keylogging:Input Capture Masquerade Task or Service:Masquerading Modify Registry Screen Capture System Network Configuration Discovery
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0029 PsExec Thrip used PsExec to move laterally between computers on the victim’s network.1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References

  1. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.