According to the experts, the RANCOR APT group has been targeting political entities in Singapore, Cambodia, and Thailand, and likely in other countries, using two previously unknown strain of malware. The two malware families were tracked as DDKONG and PLAINTEE.
The hackers leverage spear phishing messages using weaponized documents containing details taken from public news articles on political news and events. These decoy documents are hosted on legitimate websites, such as the website of the Cambodia Government, and Facebook.
“Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. ” reads the analysis published by PaloAlto Networks.
“Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.”
The recent campaign appears related to the KHRAT Trojan, a backdoor that was associated with the China-linked APT group tracked as DragonOK (also known as NetTraveler (TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT i).
The KHRAT RAT provides attackers with the typical set of RAT features, including remote access to the victim system, keylogging, and remote shell access.
One of the IP addresses for the domains associated with the KHRAT backdoor led the researchers to websites mimicking popular technology companies (i.e. facebook-apps[.]com). The experts linked the malware PLAINTEE and a loader to the domain, they were able to analyze only six samples that were associated with 2 separate infrastructure clusters.
PaloAlto researchers discovered that both clusters were involved in the campaigns that targeted organizations in South East Asia.
Experts found at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to execute the malware. The malware was hidden in the EXIF metadata property of the document. This technique was used last year by the Russia-linked APT group Sofacy.
Researchers uncovered another attack leveraging an HTML Application file (.hta), and a series of attacks that used DLL loaders.
“We identified three unique DLL loaders during this analysis. The loaders are extremely simple with a single exported function and are responsible for executing a single command.” continues the analysis.
The DDKONG was first detected in February 2017, it was used by other attackers in the wild differently from PLAINTEE that was used exclusively by the RANCOR group.
An interesting feature of the PLAINTEE malware it the use of a custom UDP protocol for network communications.
“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families.” Palo Alto concludes. “These families made use of custom network communication to load and execute various plugins hosted by the attackers,”
(Security Affairs – RANCOR, cyber espionage)