1. Home
  2. Groups
  3. Rancor

Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [1]

ID: G0075
Version: 1.3
Created: 17 October 2018
Last Modified: 09 February 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

Rancor has complied VBScript-generated MOF files into WMI event subscriptions for persistence.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Rancor has used cmd.exe to execute commmands.[1]
.005 命令与脚本解释器: Visual Basic

Rancor has used VBS scripts as well as embedded macros for execution.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Rancor has used HTTP for C2.[1]
Enterprise T1204 .002 用户执行: Malicious File

Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[1]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

Rancor has used msiexec to download and execute malicious installer files over HTTP.[1]
Enterprise T1105 输入工具传输

Rancor has downloaded additional malware, including by using certutil.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Rancor has attached a malicious document to an email to gain initial access.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.[1]

Software

ID Name References Techniques
S0160 certutil [1] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0255 DDKONG [1] 反混淆/解码文件或信息, 文件和目录发现, 系统二进制代理执行: Rundll32, 输入工具传输
S0254 PLAINTEE [1] 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 滥用权限提升控制机制: Bypass User Account Control, 系统信息发现, 系统网络配置发现, 输入工具传输, 进程发现
S0075 Reg [1] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表

References

  1. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  1. Jen Miller-Osborn and Mike Harbison. (2019, December 17). Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia. Retrieved February 9, 2024.