SEA cyberattacks conducted for espionage by new Rancor group

Throughout 2017 and 2018 Unit 42 from Palo Alto Networks has been tracking and observing a series of targeted attacks focused in Southeast Asia, building on research into the KHRAT Trojan. The lab now says in a blog post that these attacks appear to be conducted by the same set of attackers using previously unknown malware families, and are focused on Singapore and Cambodia, though not limited to them.

"In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes. We believe this group is previously unidentified and therefore have we have dubbed it 'Rancor'," said the blog post authors Brittany Ash, Josh Grunzweig and Tom Lancaster.

Unit 42 reports that Rancor attackers were targeting political entities, and that decoy documents were hosted on legitimate websites including a government website belonging to the Cambodia government and in at least one case, Facebook. There was also at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to launch the malware. Rancor attackers have also sent an HTML Application file (.hta) to targets, most likely as an email attachment. The malware may also come in the form of DLL files, Unit 42 said.