Security researchers have uncovered a brand new highly-targeted cyber undercover work campaign, that is believed to be related to a hacking cluster behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.
According to researchers from Palo Alto, the hacking cluster, that they dubbed rancour, has been found victimisation 2 new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.
However, in previous years, threat actors behind KHRAT Trojan were allegedly connected to a Chinese cyber undercover work cluster, referred to as DragonOK.
While watching the C&C infrastructure related to KHRAT trojan, researchers known multiple variants of those 2 malware families, wherever PLAINTEE seems to be the newest weapon within the group’s arsenal that uses a custom UDP protocol to speak with its remote command-and-control server.
To deliver each PLAINTEE and DDKONG, attackers use spear phishing messages with completely different infection vectors, as well as malicious macros within Microsoft workplace stand out file, HTA Loader, and DLL Loader, which has decoy files.
“These decoys contain details from public news articles centered totally on political news and events,” researchers make a case for. “Additionally, these decoy documents area unit hosted on legitimate web sites as well as a government website happiness to the Cambodia Government and in a minimum of once case, Facebook.”
Moreover, PLAINTEE downloads and installs further plugins from its C&C server victimisation a similar custom UDP protocol that transmits knowledge in encoded type.
“These families created use of custom network communication to load and execute varied plugins hosted by the attackers,” researchers say. “Notably the PLAINTEE malware’ use of a custom UDP protocol is rare and value considering once building heuristics detections for unknown malware.”
On the opposite hand, DDKONG has been in use by the hacking cluster since February 2017 and does not have any custom communication protocol like PLAINTEE, tho’ it’s unclear whether or not one threat actor or additional solely use this malware.
According to researchers, the ultimate payload of each malware families suggests that the aim of each malware is to conduct cyber undercover work on their political targets; rather than stealing cash from their targets.
Since rancour cluster is primarily targeting non-tech-savvy users, it’s perpetually suggested to be suspicious of ANy uninvited document sent via an email and ne’er click on links within those documents unless adequately validating the supply.
Moreover, most significantly, build use of behavioral-based antivirus software package will|which will|that may} notice and block such malware before it can infect your device, and perpetually keep it and alternative apps up-to-date.