Chinese Rancor APT Refreshes Malware Kit for Espionage Attacks

Posted by & filed under Security Alerts.

A Chinese-linked hacking group deployed a new malware strain dubbed Dudell as part of attacks targeting Cambodian government organizations between December 2018 and January 2019.

The threat group tracked as Rancor by Palo Alto Networks’ Unit 42 is known to have operated highly-targeted cyber-espionage campaigns against other targets from South East Asia, including but not limited to Cambodia and Singapore since at least 2017.

This is not the first time Rancor was spotted using previously unknown custom malware as Unit 42 also previously observed them making use of the DDKONG and PLAINTEE families throughout attacks carried out in 2017 and 2018.

Custom malware used against government orgs

“Between early December 2018 and the end of January 2019, Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware on victim systems,” Unit 42 says.

The DUDELL sample discovered by Unit 42 features similar malicious behavior to another malware sample connected to Rancor found by Check Point researchers while observing a campaign against several Southeast Asian government entities that span over seven months.

Rancor malware malicious behavior

This malware downloader was delivered in the form of a decoy Microsoft Excel document designed to run malicious macros on the target’s computer with the end goal of downloading and executing a second stage malware payloads.

“The macro in this document gets executed when the user views the document and clicks Enable Content, at which point the macro locates and executes the data located under the Company field in the document’s properties,” the researchers add.

A custom obfuscated VBScript named Chrome.vbs was also used by the Rancor group hackers in attacks from July 2019 to infect their targets with “multiple chained persistent artifacts” to gain persistence on the compromised computers.

VBScript payload execution flow 

Second stage malware payloads

As a second stage payload, the downloader will drop a DDKONG payload that will exfiltrate XOR encoded victim info including hostname, IP address, and locale, as well as various other OS information.

The DDKONG malware can terminate processes on the compromised hosts, list folder contents, download and upload files, execute commands, take screenshots, and even act as a reverse shell to provide the attackers with remote access to the infected systems.

DUDELL was also observed while delivering KHRAT payloads that also come with reverse shell capabilities, as well as Derusbi backdoor Trojans that will load additional modules to augment its functionality.

Unit 42 provides a list of indicators of compromise (IOCs) including command and control server addresses and malware sample SHA256 hashes at the end of their Rancor report.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.