Rancor

Rancor, a previously unidentified threat actor group, has been executing malicious actions through targeted cyber-attacks since 2018. The cybersecurity industry has linked Rancor with the DragonOK group, and their activities have been observed to focus primarily on Southeast Asia. The group's attacks are characterized by the use of two primary malware families: DDKONG and PLAINTEE. Particularly, the exclusive use of the relatively unique PLAINTEE malware, which has six identified samples, is a distinctive feature of the RANCOR campaign. The RANCOR campaign has been seen to target various countries, as identified by Unit 42. These include, but are not limited to, nations within Southeast Asia. The campaign's use of consistent file paths across each attack cluster suggests a coordinated strategy. AutoFocus customers can track this threat via KHRAT, DDKONG, PLAINTEE, and RANCOR tags, providing valuable insight into the group's activities and potential targets. It's important to note that geopolitical volatility seems to be a significant driver of advanced persistent threat (APT) activity, as evidenced by groups such as CactusPete, LightSpy, Rancor, Holy Water, TwoSail Junk, and others. This highlights the necessity of maintaining vigilance in cybersecurity efforts, especially considering the ongoing tensions in regions like the U.S., Japan, and South Korea. The RANCOR campaign represents a continued trend of targeted attacks, underscoring the need for robust security measures against such threat actors.