SYMBOLCOMMON_NAMEaka. SYNONYMS

RANCOR  (Back to overview)

aka: Rancor group, Rancor, Rancor Group

The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.


Associated Families
win.plaintee win.8t_dropper win.ddkong

References
2020-09-16RiskIQJon Gross
@online{gross:20200916:riskiq:da4b864, author = {Jon Gross}, title = {{RiskIQ: Adventures in Cookie Land - Part 2}}, date = {2020-09-16}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/56fa1b2f}, language = {English}, urldate = {2020-09-23} } RiskIQ: Adventures in Cookie Land - Part 2
8.t Dropper Chinoxy Poison Ivy
2020-08-19RiskIQJon Gross, Cory Kennedy
@online{gross:20200819:riskiq:94e5ccf, author = {Jon Gross and Cory Kennedy}, title = {{RiskIQ Adventures in Cookie Land - Part 1}}, date = {2020-08-19}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/5fe2da7f}, language = {English}, urldate = {2020-09-23} } RiskIQ Adventures in Cookie Land - Part 1
8.t Dropper Chinoxy
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing
2020-03-21MalwareLab.plMaciej Kotowicz
@online{kotowicz:20200321:royal:da8fd16, author = {Maciej Kotowicz}, title = {{On the Royal Road}}, date = {2020-03-21}, organization = {MalwareLab.pl}, url = {https://blog.malwarelab.pl/posts/on_the_royal_road/}, language = {English}, urldate = {2020-03-24} } On the Royal Road
8.t Dropper
2020-03-20Medium SebdravenSébastien Larinier
@online{larinier:20200320:new:3da1211, author = {Sébastien Larinier}, title = {{New version of chinoxy backdoor using COVID19 alerts document lure}}, date = {2020-03-20}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746}, language = {English}, urldate = {2020-03-26} } New version of chinoxy backdoor using COVID19 alerts document lure
8.t Dropper Chinoxy
2020-03-12Check PointCheck Point Research
@online{research:20200312:vicious:3218bb8, author = {Check Point Research}, title = {{Vicious Panda: The COVID Campaign}}, date = {2020-03-12}, organization = {Check Point}, url = {https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/}, language = {English}, urldate = {2020-03-13} } Vicious Panda: The COVID Campaign
8.t Dropper BYEBY Enfal Korlia Poison Ivy
2020-03-11Virus BulletinGhareeb Saad, Michael Raggi
@online{saad:20200311:attribution:3efcc0a, author = {Ghareeb Saad and Michael Raggi}, title = {{Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers}}, date = {2020-03-11}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/}, language = {English}, urldate = {2020-03-13} } Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
8.t Dropper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:79d8dd2, author = {SecureWorks}, title = {{BRONZE OVERBROOK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook}, language = {English}, urldate = {2020-05-23} } BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK
2019-12-17Palo Alto Networks Unit 42Jen Miller-Osborn, Mike Harbison
@online{millerosborn:20191217:rancor:998fe1c, author = {Jen Miller-Osborn and Mike Harbison}, title = {{Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia}}, date = {2019-12-17}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/}, language = {English}, urldate = {2020-01-08} } Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT
2019-09-22Check Point ResearchCheck Point Research
@online{research:20190922:rancor:e834f67, author = {Check Point Research}, title = {{Rancor: The Year of The Phish}}, date = {2019-09-22}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/}, language = {English}, urldate = {2020-03-04} } Rancor: The Year of The Phish
8.t Dropper Cobalt Strike
2019-07-23ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190723:chinese:804ec1c, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia}}, date = {2019-07-23}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology}, language = {English}, urldate = {2019-12-20} } Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
8.t Dropper Cotx RAT TA428
2019-01-03m4n0w4r
@online{m4n0w4r:20190103:another:2f48120, author = {m4n0w4r}, title = {{Another malicious document with CVE-2017–11882}}, date = {2019-01-03}, url = {https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f}, language = {Vietnamese}, urldate = {2020-03-11} } Another malicious document with CVE-2017–11882
8.t Dropper
2019MITREMITRE ATT&CK
@online{attck:2019:rancor:d326bb1, author = {MITRE ATT&CK}, title = {{Group description: Rancor}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0075/}, language = {English}, urldate = {2019-12-20} } Group description: Rancor
RANCOR
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:rancor:95bf94e, author = {Cyber Operations Tracker}, title = {{Rancor}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/rancor}, language = {English}, urldate = {2019-12-20} } Rancor
RANCOR
2018-11-03m4n0w4r
@online{m4n0w4r:20181103:l:d496fbd, author = {m4n0w4r}, title = {{Là 1937CN hay OceanLotus hay Lazarus …}}, date = {2018-11-03}, url = {https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241}, language = {Vietnamese}, urldate = {2020-03-11} } Là 1937CN hay OceanLotus hay Lazarus …
8.t Dropper
2018-07-31Medium SebdravenSébastien Larinier
@online{larinier:20180731:malicious:571d2df, author = {Sébastien Larinier}, title = {{Malicious document targets Vietnamese officials}}, date = {2018-07-31}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?}, language = {English}, urldate = {2020-03-04} } Malicious document targets Vietnamese officials
8.t Dropper
2018-06-26Palo Alto Networks Unit 42Brittany Ash, Josh Grunzweig, Tom Lancaster
@online{ash:20180626:rancor:cc2a967, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-18} } RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families
RANCOR
2018-06-26Palo Alto Networks Unit 42Brittany Ash, Josh Grunzweig, Tom Lancaster
@online{ash:20180626:rancor:99f5616, author = {Brittany Ash and Josh Grunzweig and Tom Lancaster}, title = {{RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families}}, date = {2018-06-26}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/}, language = {English}, urldate = {2019-12-20} } RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families
DDKONG PLAINTEE

Credits: MISP Project