A new Cyber Espionage Group dubbed RANCOR identified targeting South East Asia using new malware families PLAINTEE and DDKONG. The RANCOR group appears to be associated with KHRAT Malware that used in Cambodia attacks.
The attack starts with a with spear phishing messages that contains the public news and which makes the researchers believe the RANCOR group is targeting political entities.
Security researchers from Palo Alto Networks uncovered the RANCOR group, according to researchers the group primarily focuses on political entities in Singapore and Cambodia, but it is not limited to these countries.
DDKONG found to be used by attackers throughout the campaign and the LAINTEE found to be a new addition to their toolkit.
Same IP address used – RANCOR group
Starting from February 2018, the domains associated with KHRAT starts resolving to IP 89[.]46[.]222[.]97, which leads the researchers to find domain names resolving to the IP mimic popular company names [facebook-apps[.]com].
Researches identified two malware sample Loader & PLAINTEE directly connected to IP address. With further analysis they able to detect six PLAINTEE malware sample, where they linked all the samples together by the infrastructure they use.
“Our Investigation into both clusters further showed that they were both involved in attacks targeting organizations in South East Asia. Based on the use of the relatively unique PLAINTEE malware, the malware’s use of the same file paths on in each cluster, and the similar targeting, we have grouped these attacks together under the RANCOR campaign moniker.”
Malware Delivery Mechanisms
Three cases were examined and in all the cases DDKONG or PLAINTEE is the final payload used by the attackers. DDKONG spotted first February 2017 and the PLAINTEE was a new addition and it was observed in October 2017.
In one of the case, the attackers leverage a Microsoft Office Excel document with macro embedded in an EXIF metadata property of the document. In another case, attackers sent an HTML Application file (.hta) used to download the malware. With another attack, they used DLL files.
PLAINTEE uses custom UDP protocol to connect with the command and control server and the data transmitted in an encoded form.
“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. The politically motivated lures were used by attackers to entice victims into open and subsequently loading previously undocumented malware families.”
Palo Alto Networks published full analysis report including the IoCs associated with the incident.