Skip to content

G0075 Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. 1

Item Value
ID G0075
Associated Names
Version 1.3
Created 17 October 2018
Last Modified 09 February 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Rancor has used HTTP for C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Rancor has used cmd.exe to execute commmands.1
enterprise T1059.005 Visual Basic Rancor has used VBS scripts as well as embedded macros for execution.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Rancor has complied VBScript-generated MOF files into WMI event subscriptions for persistence.2
enterprise T1105 Ingress Tool Transfer Rancor has downloaded additional malware, including by using certutil.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Rancor has attached a malicious document to an email to gain initial access.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Rancor has used msiexec to download and execute malicious installer files over HTTP.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.1

Software

ID Name References Techniques
S0160 certutil 1 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0255 DDKONG 1 Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Rundll32:System Binary Proxy Execution
S0254 PLAINTEE 1 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Modify Registry Process Discovery System Information Discovery System Network Configuration Discovery
S0075 Reg 1 Modify Registry Query Registry Credentials in Registry:Unsecured Credentials

References

  1. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  2. Jen Miller-Osborn and Mike Harbison. (2019, December 17). Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia. Retrieved February 9, 2024.