Rancor

Description

(Palo Alto) Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.

We believe this group is previously unidentified and therefore have we have dubbed it “Rancor”. The Rancor group’s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit.

Kaspersky found connections between this group and DragonOK.

Names

Name	Name-Giver
Rancor	Palo Alto
Rancor Group	Palo Alto
Rancor Taurus	Palo Alto

Country

• China

Motivation

• Information theft and espionage

First Seen

2017

Observed Sectors

• Government
• political entities

Observed Countries

• Cambodia
• Singapore
• Vietnam
• Southeast Asia

Tools

• 8.t Dropper
• certutil
• Cobalt Strike
• DDKONG
• Derusbi
• Dudell
• ExDudell
• KHRAT
• PLAINTEE

Information

• https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
• https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/
• https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/

Mitre Attack

• https://attack.mitre.org/groups/G0075/

Playbook

• https://pan-unit42.github.io/playbook_viewer/?pb=rancortaurus

Other Information

Uuid

020d538c-5250-46d8-9713-e739536cdd7e

Last Card Change

2024-03-10