Rancor

Introduction

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. Rancor Unit42 June 2018

Activities and Tactics

Targeted Sectors: Government, Civil society

Country of Origin: 🇨🇳 China

Risk Level: High

Incident Type: Espionage

Suspected Victims: Singapore, Cambodia

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1071.001 Web Protocols
• T1059.005 Visual Basic
• T1204.002 Malicious File
• T1053.005 Scheduled Task
• T1105 Ingress Tool Transfer
• T1218.007 Msiexec
• T1546.003 Windows Management Instrumentation Event Subscription
• T1059.003 Windows Command Shell
• T1566.001 Spearphishing Attachment

ATT&CK technique IDs (denormalized)

• T1053.005
• T1059.003
• T1059.005
• T1071.001
• T1105
• T1204.002
• T1218.007
• T1546.003
• T1566.001

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• KHRAT Trojan:
• Derusbi:
• Dudell:
• DDKONG Plugin:

MITRE ATT&CK Software

• Reg (S0075) — tool
• DDKONG (S0255) — malware
• PLAINTEE (S0254) — malware
• certutil (S0160) — tool

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Rancor Unit42 June 2018 Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.