PLAINTEE

The PLAINTEE malware is a relatively new addition to the toolkit of an unidentified group, dubbed as "RANCOR". The RANCOR campaign utilizes two primary malware families: DDKONG and PLAINTEE. This malicious software is unique, with only six samples present in our data set. It has been utilized in two distinct attack clusters, labeled A and B, linked through their use of the PLAINTEE malware and several "softer" linkages. These attacks have been grouped together due to the use of the unique PLAINTEE malware, its consistent use of the same file paths in each cluster, and similar targeting patterns. Three variants of the PLAINTEE malware have been identified to date, each exhibiting unique differences. Older versions can be recognized via a unique mutex created during runtime. Interestingly, the malware uses a custom UDP protocol, which is rare and should be considered when building heuristic detections for unknown malware. The malware expects the downloaded plugin to be a DLL with an export function of either 'shell' or 'file'. Additionally, PLAINTEE creates a unique GUID via a call to CoCreateGuid(), which serves as an identifier for the victim. AutoFocus customers may track this threat using the KHRAT, DDKONG, PLAINTEE, and RANCOR tags. The beacon structure for PLAINTEE and a sample analyzed in full are detailed in tables within the report. An example beacon for PLAINTEE is also provided. Given the malware's distinctive characteristics and its association with the previously unidentified RANCOR group, it is essential to remain vigilant and consider these factors when developing detection and defense mechanisms.