Rancor: Persistent Espionage in Southeast Asia
- Suspected Origin
- China
- Motivation
- Espionage, Political Purposes
- Aliases
- None documented
- Target Sectors
- Government, Political Entities
- Associated Malware
- Dudell, Derusbi, KHRat, DDKONG, PLAINTEE, PowerShell-based backdoors, VBScripts
Overview
Rancor (G0075) is a sophisticated cyber espionage group that has consistently targeted government and political entities across the Southeast Asia region since at least 2017. Attributed with strong links to China, Rancor’s operations are driven by political espionage, seeking to exfiltrate sensitive information from its victims. This group is known for its persistent and adaptable nature, frequently updating its toolset and delivery mechanisms to bypass detections. Early observations by Unit 42 revealed Rancor’s campaigns throughout 2017 and 2018, primarily focusing on countries such as Cambodia, Singapore, and Thailand. The group consistently leverages politically-motivated lures, tailoring its initial access vectors to entice targets into compromising their systems.
Tactics & Techniques
Rancor’s operational methodology often begins with carefully crafted spearphishing emails, a common initial access vector for espionage groups. These emails typically carry malicious documents designed with politically-motivated lures, often incorporating content from public news articles related to political events in the target region. To enhance credibility and bypass security filters, the group has been observed hosting these decoy documents on legitimate websites, including a government website belonging to Cambodia and even Facebook.
Upon successful delivery, execution commonly involves embedded macros within Microsoft Office Excel documents. Victims are tricked into enabling content, which then triggers the malicious macro to execute its payload. Rancor also utilizes VBScripts and HTML Application (.hta) files for execution. The group demonstrates proficiency in command-line execution, using cmd.exe to run commands on compromised systems. They have also used msiexec to download and execute further malicious installer files over HTTP.
For persistence, Rancor employs several techniques, including creating scheduled tasks via the schtasks /create /sc command. They also establish Windows Management Instrumentation (WMI) event subscriptions by compiling VBScript-generated Managed Object Format (MOF) files. A notable persistence mechanism observed in July 2019 involved a custom obfuscated VBScript, such as Chrome.vbs, designed to install multiple chained persistent artifacts on victim machines.
Rancor is particularly adept at defense evasion, frequently modifying its tactics, delivery methods, and payloads to elude detection. This adaptability includes using legitimate tools and masquerading malicious files. For example, the group has attempted to mimic Google Chrome updates by dropping a Chrome.js file and even used Avast Antivirus executables to disguise their malicious activities. For command and control (C2), Rancor utilizes standard HTTP protocols and, in some instances, a custom UDP protocol, particularly with its PLAINTEE malware family. Known C2 domains associated with their operations include cswksfwq.kfesv[.]xyz and connect.bafunpda[.]xyz. The group also uses certutil to download additional malware post-compromise. The PLAINTEE malware has been observed collecting general system information from infected hosts.
Notable Campaigns
Rancor’s activity was initially documented through a series of highly targeted attacks in Southeast Asia throughout 2017 and 2018. During these early campaigns, the group extensively used the DDKONG and PLAINTEE malware families, hitting targets in Singapore, Cambodia, and Thailand.
A significant campaign observed between December 2018 and January 2019 involved persistent targeting of at least one government organization in Cambodia. In these attacks, Rancor introduced a new, custom malware family dubbed Dudell and also attempted to install the Derusbi or KHRat malware.
Check Point researchers, in a report published in October 2019, detailed a months-long campaign over the preceding seven months, where Rancor continuously targeted five government agencies in Southeast Asia. This campaign highlighted Rancor’s evolving tactics, as they consistently installed PowerShell-based backdoors via spearphishing emails containing malicious documents, changing their delivery methods and payloads every few months. The attackers spoofed legitimate emails from embassies and other government entities, making it harder to link attacks. Separately, in July 2019, the group was observed deploying obfuscated VBScripts to maintain persistence on compromised systems.
Associated Malware & Tools
Rancor maintains a diverse and evolving arsenal of custom and commonly available tools:
- DDKONG: This is one of Rancor’s primary malware families, consistently deployed across many of their campaigns.
- PLAINTEE: Another key malware family, PLAINTEE appears to be a more recent addition to their toolkit, and in some instances, exclusively used by Rancor. It is distinguished by its use of a custom UDP protocol for C2 communications and its ability to gather system information.
- Dudell: Discovered in late 2018, Dudell is a custom remote access Trojan (RAT) delivered via weaponized Excel documents containing malicious macros. It serves as a first-stage downloader for additional payloads.
- Derusbi: This backdoor Trojan is a loader for encrypted payloads and has been linked to a small number of Chinese cyber espionage groups, including Rancor.
- KHRat: Rancor has aimed to install the KHRat Trojan backdoor in some of its operations, and its malware behavior has shown similarities to older KHRat samples.
- PowerShell-based backdoors: The group frequently uses PowerShell scripts to establish backdoors on victim machines.
- VBScripts: Beyond initial execution, VBScripts, including obfuscated ones like
Chrome.vbs, are utilized for various purposes, notably establishing persistent access. - MSI payloads: Malicious Installer (MSI) files are used to download and execute PowerShell scripts.
- Chrome.js and Avast Antivirus executables: These are examples of legitimate-looking files Rancor uses to disguise its activities and evade detection.
Current Status
Rancor has been actively conducting cyber espionage campaigns since at least 2017. While public reporting extensively covers their activities up to late 2019, including campaigns observed in December 2018-January 2019 and July 2019, detailed public intelligence on their operations beyond this period is limited. The group’s consistent targeting of government entities in Southeast Asia and their demonstrated ability to evolve tactics and malware suggest that Rancor remains an active and persistent threat. However, without more recent public disclosures, their specific operational tempo and latest techniques cannot be definitively outlined.
Related content
Axiom (G0001): Profile of a Sophisticated Chinese Cyber Espionage Group
Adversary ProfileDeep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
Adversary ProfileDragonOK: China-Linked APT Group Targeting Asian & European Organizations
Adversary ProfilePutter Panda: Persistent Chinese Cyber Espionage
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call