Chinese Rancor APT Refreshes Malware Kit for Espionage Attacks (Dec 17, 2019)
Palo Alto Unit 42 researchers have noticed that the Advanced Persistent Threat (APT) group, “Rancor” is deploying a new malware strain dubbed “Dudell” as part of attacks targeting the Cambodian government. Rancor has been reported using custom built malware previously, using DDKONG and PLAINTEE in 2017 and 2018. The report details the use of a malicious Excel document that has a custom obfuscated VBScript named “Chrome.vbs”. The downloader pulls down a DDKONG payload exfiltrating victim information XOR encoded. Other malware such as DUDELL and KHRAT was also observed.
Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.