Rancor

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Rancor, a previously unidentified threat actor group, has been executing malicious actions through targeted cyber-attacks since 2018. The cybersecurity industry has linked Rancor with the DragonOK group, and their activities have been observed to focus primarily on Southeast Asia. The group's attacks are characterized by the use of two primary malware families: DDKONG and PLAINTEE. Particularly, the exclusive use of the relatively unique PLAINTEE malware, which has six identified samples, is a distinctive feature of the RANCOR campaign. The RANCOR campaign has been seen to target various countries, as identified by Unit 42. These include, but are not limited to, nations within Southeast Asia. The campaign's use of consistent file paths across each attack cluster suggests a coordinated strategy. AutoFocus customers can track this threat via KHRAT, DDKONG, PLAINTEE, and RANCOR tags, providing valuable insight into the group's activities and potential targets. It's important to note that geopolitical volatility seems to be a significant driver of advanced persistent threat (APT) activity, as evidenced by groups such as CactusPete, LightSpy, Rancor, Holy Water, TwoSail Junk, and others. This highlights the necessity of maintaining vigilance in cybersecurity efforts, especially considering the ongoing tensions in regions like the U.S., Japan, and South Korea. The RANCOR campaign represents a continued trend of targeted attacks, underscoring the need for robust security measures against such threat actors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PLAINTEE
1
The PLAINTEE malware is a relatively new addition to the toolkit of an unidentified group, dubbed as "RANCOR". The RANCOR campaign utilizes two primary malware families: DDKONG and PLAINTEE. This malicious software is unique, with only six samples present in our data set. It has been utilized in two
DDKONG
1
DDKONG is a type of malware that has been used in cyber attacks orchestrated by a group we have named "RANCOR". This group, which we believe to be previously unidentified, uses two primary malware families: DDKONG and PLAINTEE. DDKONG has been used consistently throughout the RANCOR group's campaign
DragonOK
1
DragonOK, a threat actor group reportedly linked to China, has been associated with various malicious activities, including the deployment of the infamous Remote Access Trojan (RAT) known as FormerFirstRAT. This multi-featured RAT allows threat actors to gain complete control over a targeted machine
Khrat
1
KHRAT, also known as DDKONG, PLAINTEE, and RANCOR, is a threat actor that has been conducting highly targeted cyberattacks in South East Asia. The cybersecurity industry began tracking this malicious entity throughout 2017 and 2018, with the focus of their research being on the KHRAT Trojan, a previ
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Espionage
Japan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CactusPeteUnspecified
1
CactusPete, also known as Tonto Team, is a Chinese-speaking cyber-espionage group that has been active since at least 2012. Characterized by medium-level technical capabilities, CactusPete has demonstrated a significant development pace, producing more than 20 samples per month. The group primarily
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rancor Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
At Camp David, Biden looks to cement a fragile truce
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families
MITRE
a year ago
Russia-Linked Hackers Target Diplomatic Entities in Central Asia