Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [1]

ID: G0075
Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceRancor has used cmd.exe to execute commmands.[1]
EnterpriseT1105Remote File CopyRancor has downloaded additional malware, including by using certutil.[1]
EnterpriseT1053Scheduled TaskRancor launched a scheduled task to gain persistence using the schtasks /create /sc command.[1]
EnterpriseT1064ScriptingRancor has used shell and VBS scripts as well as embedded macros for execution.[1]
EnterpriseT1218Signed Binary Proxy ExecutionRancor has used msiexec to download and execute malicious installer files over HTTP.[1]
EnterpriseT1193Spearphishing AttachmentRancor has attached a malicious document to an email to gain initial access.[1]
EnterpriseT1071Standard Application Layer ProtocolRancor has used HTTP for C2.[1]
EnterpriseT1204User ExecutionRancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[1]

Software

IDNameReferencesTechniques
S0160certutil[1]Deobfuscate/Decode Files or Information, Install Root Certificate, Remote File Copy
S0255DDKONG[1]Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, File and Directory Discovery, Remote File Copy, Rundll32
S0254PLAINTEE[1]Bypass User Account Control, Command-Line Interface, Custom Command and Control Protocol, Custom Cryptographic Protocol, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, System Information Discovery, System Network Configuration Discovery
S0075Reg[1]Credentials in Registry, Modify Registry, Query Registry

References