A new malware campaign was observed this month, which appears to be politically driven and targets organizations operating in southeast Asia. The malware was dubbed “RANCOR” by Palo Alto researchers and falls under the Trojan malware classification. Additionally, the malware appears to make use of code from two malware families: DDKONG and PLAINTEE.
The malware has been observed in at least three cases, in which high profile individuals were targeted in spear phishing emails. The email contained malicious attachments in the form of .hta, .xlxs, and .dll file types. When opened, these attachments open decoy PDFs or web pages that claim to be related to political parties from the given country. However, these attachments would also execute scripts in the background in order to complete their installation on the host system.
While this behavior might seem easy to detect at first glance, the closer look reveals the malware writers took several steps to evade detection. Researchers noted that the malicious scripts were typically hidden in the metadata of the files and executed when certain conditions were met. Additionally, in the case of web pages opening, the websites of legitimate government
organizations and Facebook were compromised in order to bypass security.
Though current findings show only Cambodia and Singapore have been targeted thus far in the RANCOR campaign, a number of other countries located in Asia Pacific could be targeted as well and it is recommended to update security controls to detect the IOCs associated with this attack. One tell tale sign of some RANCOR variants is the rare use of a custom UDP protocol. This protocol may be detected by some heuristic IDPS devices searching for file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows and corresponding to the SHA256 hash below.
IDPS devices can be updated to trigger on the following additional signatures that have been observed:
- Domain: www.facebook-apps.com
- IPv4: 126.96.36.199
- SHA256: 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855
- SHA256: c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d
The Proficio Threat Intelligence Recommendations:
- Ensure security devices are updated to latest stable firmware.
- Monitor for IOCs related to file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows.
- Change the default handler for “.hta” files in your enterprise environment so that they cannot be directly executed.
Source of Analysis – Click Here