DDKONG

DDKONG is a type of malware that has been used in cyber attacks orchestrated by a group we have named "RANCOR". This group, which we believe to be previously unidentified, uses two primary malware families: DDKONG and PLAINTEE. DDKONG has been used consistently throughout the RANCOR group's campaign, from February 2017 to the present. PLAINTEE, on the other hand, is a newer addition to the attackers' toolkit, with its earliest known use dating back to October 2017. In all instances where we were able to identify the final payloads used in these cyber attacks, either the DDKONG or PLAINTEE malware families were involved. DDKONG operates by decoding an embedded configuration using a single byte XOR key of 0xC3. Once this configuration is decoded and parsed, DDKONG proceeds to send a beacon to the configured remote server via a raw TCP connection. If it is the only instance of DDKONG running at the time, the malware continues its operation. Our AutoFocus customers can track this threat using the KHRAT, DDKONG, PLAINTEE, and RANCOR tags. We have fully analyzed a sample of DDKONG (Table 1), revealing its communication pattern with remote command and control servers (Figure 6). By understanding the behavior and methods of these malware families, we aim to provide effective countermeasures and help protect systems against these malicious threats.