PLAINTEE

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The PLAINTEE malware is a relatively new addition to the toolkit of an unidentified group, dubbed as "RANCOR". The RANCOR campaign utilizes two primary malware families: DDKONG and PLAINTEE. This malicious software is unique, with only six samples present in our data set. It has been utilized in two distinct attack clusters, labeled A and B, linked through their use of the PLAINTEE malware and several "softer" linkages. These attacks have been grouped together due to the use of the unique PLAINTEE malware, its consistent use of the same file paths in each cluster, and similar targeting patterns. Three variants of the PLAINTEE malware have been identified to date, each exhibiting unique differences. Older versions can be recognized via a unique mutex created during runtime. Interestingly, the malware uses a custom UDP protocol, which is rare and should be considered when building heuristic detections for unknown malware. The malware expects the downloaded plugin to be a DLL with an export function of either 'shell' or 'file'. Additionally, PLAINTEE creates a unique GUID via a call to CoCreateGuid(), which serves as an identifier for the victim. AutoFocus customers may track this threat using the KHRAT, DDKONG, PLAINTEE, and RANCOR tags. The beacon structure for PLAINTEE and a sample analyzed in full are detailed in tables within the report. An example beacon for PLAINTEE is also provided. Given the malware's distinctive characteristics and its association with the previously unidentified RANCOR group, it is essential to remain vigilant and consider these factors when developing detection and defense mechanisms.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
DDKONG
1
DDKONG is a type of malware that has been used in cyber attacks orchestrated by a group we have named "RANCOR". This group, which we believe to be previously unidentified, uses two primary malware families: DDKONG and PLAINTEE. DDKONG has been used consistently throughout the RANCOR group's campaign
Rancor
1
Rancor, a previously unidentified threat actor group, has been executing malicious actions through targeted cyber-attacks since 2018. The cybersecurity industry has linked Rancor with the DragonOK group, and their activities have been observed to focus primarily on Southeast Asia. The group's attack
Khrat
1
KHRAT, also known as DDKONG, PLAINTEE, and RANCOR, is a threat actor that has been conducting highly targeted cyberattacks in South East Asia. The cybersecurity industry began tracking this malicious entity throughout 2017 and 2018, with the focus of their research being on the KHRAT Trojan, a previ
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Beacon
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the PLAINTEE Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families