ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

PLAINTEE

PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. ^[1]

ID: S0254

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 17 October 2018

Last Modified: 25 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	An older variant of PLAINTEE performs UAC bypass.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	PLAINTEE gains persistence by adding the Registry key `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce`.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	PLAINTEE uses cmd.exe to execute commands on the victim’s machine.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	PLAINTEE encodes C2 beacons using XOR.^[1]
Enterprise	T1105		Ingress Tool Transfer	PLAINTEE has downloaded and executed additional plugins.^[1]
Enterprise	T1112		Modify Registry	PLAINTEE uses `reg add` to add a Registry Run key for persistence.^[1]
Enterprise	T1057		Process Discovery	PLAINTEE performs the `tasklist` command to list running processes.^[1]
Enterprise	T1082		System Information Discovery	PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.^[1]
Enterprise	T1016		System Network Configuration Discovery	PLAINTEE uses the `ipconfig /all` command to gather the victim’s IP address.^[1]

Groups That Use This Software

ID	Name	References
G0075	Rancor	^[1]

References

Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.