The criminal collectives are becoming active against computer networks worldwide. Experts have detected a new wave of attacks that are being orchestrated by the Rancor hackers against various computers located in Asia leveraging the PLAINTEE and DDKONG malware families. This group has been previously known for creating custom Trojans in targeted attacks against organizations.
Discovery of the Rancor Hackers and Their PLAINTTEE and DDKONG Malware
Targeted hacker attacks have become one of the most dangerous tactics in the last two years. They can have even more damaging consequences as they most often rely on security vulnerabilities and computer infections using custom code or sophisticated Trojan strains. This is the reason why they can be much more devastating than ordinary virus infections, including those with ransomware.
The criminal collective was discovered following an analysis of a threat known as the KHRAK Trojan. It was used in a sophisticated attack in August 2017 against computer users in Cambodia. The main distribution method was the use of infected Microsoft Word documents that used social engineering tactics to infect as many users as possible. Once the built-in macros (scripts) are activated the built-in engine will launch a download command that retrieves the rest of the virus. The security analysis shows that the network requests use a false DropBox domain address which is a trick used to prevent system administrators and automated defense countermeasures from detecting the suspicious operations.
Following its installation it will set up a Trojan instance which connects to a hacker-controlled server. This allows the RANCOR hackers to spy on the victims, deploy additional threats and also take over control of the machines at any given time.
The KHRAK Trojan is an important piece of the puzzle as it was found that a similar strategy is currently being operated against targets in Asia. The way the infections are carried out shows that the same actors are behind the ongoing attacks. The reports show that the collective is targeting Singapore and Cambodia.
The Rancor Hackers Leverage PLAINTTEE and DDKONG Malware Against Asian Targets
The attacks once again use email spam messages as the primary method of distribution. The reports indicate that the RANCOR hackers are using elements taken from news articles that primary focus on political news and contemporary events. This gives the experts a reason to believe that the attackers are targeting mainly political entities.
One of the most dangerous characteristics of the email messages is that they are hosted on legitimate sits, including ones that are hosted by the Cambodia Government and social networks, including Facebook. During the analysis the security specialists note that some of the KHRAT Trojan commands and servers are being used. There are two distinct clusters (named “Cluster A” and “Cluster B”) that utilize separate phishing strategies. This step is done in order to increase the infection ratio.
DDKONG Malware Capabilities
The code analysis of the DDKONG malware shows that the earliest versions of it date back to October 2017. This shows that it is very possible that the virus’s code may have been shared with other groups or hackers.
DDKong is made of three parts: ServiceMain, Rundll32Call and DllEntryPoint. When the first part is executed it will load itself as a service and then launch the second module. This is done in order to enable a persistent installation. Similar threats modify the system by disabling certain recovery menus and modes and make the virus start automatically when the computer is booted. This makes manual user removal very difficult.
The Rundll32Call function starts a service monitor that ensures that only a single instance is running at a time. The third module is delivered in an encoded form and decoded live on the system once the two prior modules have succeeded running. This step is necessary in order to prevent security software from using signature-based scans to detect the final malware. The final module (DllEntryPoint) creates a secure connection to a hacker-controlled server which is used to report the infections. It also allows the hackers to install other threats, spy on the victims and take over control of the machines.
PLAINTEE Malware Capabilities
The PLAINTEE malware is a sophisticated threat that has been found to use a custom UDP protocol to communicate with the hackers. Like DDKONG it uses phishing emails for the initial infection and as soon as the malware makes its way onto the target machines it will start its built-in behaviour pattern.
The code analysis on the captured strains shows that the first actions made by the threat are related to the Windows Registry. The virus installs itself as a persistent threat by masking itself as a “Microsoft Audio” service. It creates a new folder entry that poses as a component belonging to the operating system. Following this a system service monitor is called which monitors and makes sure that only a single instance is running at a time.
The next step is to execute a data harvesting engine which is used to generated the unique user identification. The list of the collected values includes the following information:
- Processor Specifications & Installed Memory
- Motherboard and Installed Components
- Regional Settings
- User-Set Operating System Values
Like the DDKONG malware this particular threat also uses a custom security protocol to communicate with the hacker-controlled servers. The harvested data is automatically sent and a response and request sequence is established. The observed interactions signal that the hackers can use various commands. As well as retrieving the list of sensitive data the connection can be used to deploy additional threats.
The conducted analysis reveals that the engine can also retrieve the list of running applications and services, as well as the available network connections. This can be used to deploy additional threats, take over control of their machines and spy on the users in real time.
Consequences of the PLAINTTEE and DDKONG Malware Infections By the RANCOR Hackers
The ongoing attacks that originate from the RANCOR hackers seem to be targeting solely the South East Asia region. It is very likely that they come from a country located in this area as they are using a sophisticated social engineering-based phishing scheme. One of the most dangerous aspects of the threat is that it uses custom protocols, this evades both the detection of the malware threats as well by security software and also network analysis.
The analysis conclusion once again confirms that complex strains such as this one are particularly dangerous. The investigation continues as the security researchers continue to monitor the malware landscape.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: