G0075 Rancor
Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. 1
| Item | Value |
|---|---|
| ID | G0075 |
| Associated Names | |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Rancor has used HTTP for C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Rancor has used cmd.exe to execute commmands.1 |
| enterprise | T1059.005 | Visual Basic | Rancor has used VBS scripts as well as embedded macros for execution.1 |
| enterprise | T1105 | Ingress Tool Transfer | Rancor has downloaded additional malware, including by using certutil.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Rancor has attached a malicious document to an email to gain initial access.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Rancor has used msiexec to download and execute malicious installer files over HTTP.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.1 |