Security researchers convey uncovered a novel highly-targeted cyber espionage campaign, which is believed to live on associated alongside a hacking grouping behind KHRAT backdoor Trojan together with has been targeting organizations inwards South East Asia.
According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been flora using 2 novel malware families—PLAINTEE together with DDKONG—to target political entities primarily inwards Singapore together with Cambodia.
However, inwards previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known equally DragonOK.
While monitoring the C&C infrastructure associated alongside KHRAT trojan, researchers identified multiple variants of these 2 malware families, where PLAINTEE appears to live on the latest weapon inwards the group's arsenal that uses a custom UDP protocol to communicate alongside its remote command-and-control server.
To deliver both PLAINTEE together with DDKONG, attackers usage pike phishing messages alongside unlike infection vectors, including malicious macros within Microsoft Office Excel file, HTA Loader, together with DLL Loader, which includes decoy files.
"These decoys incorporate details from world intelligence articles focused primarily on political intelligence together with events," researchers explain. "Additionally, these decoy documents are hosted on legitimate websites including a regime website belonging to the Kingdom of Cambodia Government together with inwards at to the lowest degree in 1 lawsuit case, Facebook."
Moreover, PLAINTEE downloads together with installs additional plugins from its C&C server using the same custom UDP protocol that transmits information inwards encoded form.
"These families made usage of custom network communication to charge together with execute diverse plugins hosted past times the attackers," researchers say. "Notably the PLAINTEE malware’ usage of a custom UDP protocol is rare together with worth considering when edifice heuristics detections for unknown malware."
On the other hand, DDKONG has been inwards usage past times the hacking grouping since Feb 2017 together with doesn't convey whatever custom communication protocol similar PLAINTEE, though it is unclear whether 1 threat musician or to a greater extent than solely usage this malware.
According to researchers, the concluding payload of both malware families suggests that the operate of both malware is to comport cyber espionage on their political targets; instead of stealing coin from their targets.
Since RANCOR grouping is primarily targeting non-tech-savvy users, it is e'er advised to live on suspicious of whatever uninvited document sent via an electronic mail together with never click on links within those documents unless adequately verifying the source.
Moreover, almost importantly, brand usage of behavioral-based antivirus software that tin flame abide by together with block such malware earlier it tin flame infect your device, together with e'er proceed it together with other apps up-to-date.
