A previously unknown cyberespionage group dubbed Rancor has been launching attacks against various entities in Southeast Asia, security researchers have found. According to security researchers at Palo Alto Networks, who discovered the new cyber espionage campaign, the attackers have been observed targeting Southeast Asian countries Cambodia and Singapore.
Rancor is also likely behind the KHRAT malware that was used to attack organizations in Cambodia in 2017, researchers said. However, the hacker group's latest campaign appears to be highly targeted in both the choice of targets and the distribution of the malware families.
Rancor’s latest attacks use two main malware families dubbed DDKONG and PLAINTEE. While the DDKONG malware appears throughout the campaign, the PLAINTEE malware is likely a new addition to the Rancor hackers’ toolkit.
In their new campaign, hackers have been leveraging spear-phishing messages that contain politically-focused news articles. Palo Alto researchers believe that this indicates Rancor are targeting political entities.
“These decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook,” Palo Alto researchers wrote in a blog.
Researchers were able to link the PLAINTEE and DDKONG malware families, both of which were used to target organizations in Southeast Asia, to the KHRAT trojan’s infrastructure. In at least one case, Rancor used macro-embedded Microsoft Office Excel document to deliver the malware.
“In all cases where we were able to identify the final payloads used, the DDKONG or PLAINTEE malware families were used,” Palo Alto researchers said. “We observed DDKONG in use between February 2017 and the present, while PLAINTEE is a newer addition with the earliest known sample being observed in October 2017. It’s unclear if DDKONG is only used by one threat actor or more than one based on the data available.”
The DDKONG malware comes with three main functionalities.
The first function, ServiceMain, is an exported function which indicates this DLL will likely be loaded as a service. Once the function is loaded, it spawns a new version of itself. The Rundll32Call function ensures that DDKONG is executed only once at a given time. The final functionality is DllEntryPoint.
Meanwhile, researchers uncovered that the PLAINTEE malware uses a custom UDP protocol for its network communications. The malware collects general system enumeration data about the infected system.
According to Palo Alto researchers, Rancor represents the trend of attacking Southeast Asian targets. Most of the lures used by the hacker group were designed to be politically motivated - this hints at the level of targeting, especially given that most of the targeted organizations were political entities.
“In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families,” Palo Alto researchers added. “These families made use of custom network communication to load and execute various plugins hosted by the attackers.
“Notably the PLAINTEE malwares’ use of a custom UDP protocol is rare and worth considering when building heuristics detections for unknown malware.”
Publisher