Rancor
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Rancor has used HTTP for C2.(Citation: Rancor Unit42 June 2018) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Rancor has used cmd.exe to execute commmands.(Citation: Rancor Unit42 June 2018) |
| .005 | Command and Scripting Interpreter: Visual Basic |
Rancor has used VBS scripts as well as embedded macros for execution.(Citation: Rancor Unit42 June 2018) |
||
| Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Rancor has complied VBScript-generated MOF files into WMI event subscriptions for persistence.(Citation: Rancor WMI) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Rancor has attached a malicious document to an email to gain initial access.(Citation: Rancor Unit42 June 2018) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Rancor launched a scheduled task to gain persistence using the |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Rancor has used |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.(Citation: Rancor Unit42 June 2018) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0160 | certutil | (Citation: Rancor Unit42 June 2018) (Citation: TechNet Certutil) | Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer |
| S0254 | PLAINTEE | (Citation: Rancor Unit42 June 2018) | Custom Command and Control Protocol, System Information Discovery, Modify Registry, System Network Configuration Discovery, Bypass User Account Control, Process Discovery, Registry Run Keys / Startup Folder, Symmetric Cryptography, Windows Command Shell, Ingress Tool Transfer |
| S0075 | Reg | (Citation: Microsoft Reg) (Citation: Rancor Unit42 June 2018) (Citation: Windows Commands JPCERT) | Credentials in Registry, Query Registry, Modify Registry |
| S0255 | DDKONG | (Citation: Rancor Unit42 June 2018) | Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Rundll32, Custom Command and Control Protocol, File and Directory Discovery |
References
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- Jen Miller-Osborn and Mike Harbison. (2019, December 17). Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia. Retrieved February 9, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.