Group description: Rancor

Rancor, Group G0075 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Rancor Rancor Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [1] ID:  G0075 Version : 1.3 Created:  17 October 2018 Last Modified:  09 February 2024 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1071 .001 Application Layer Protocol : Web Protocols Rancor has used HTTP for C2. [1] Enterprise T1059 .003 Command and Scripting Interpreter : Windows Command Shell Rancor has used cmd.exe to execute commmands. [1] .005 Command and Scripting Interpreter : Visual Basic Rancor has used VBS scripts as well as embedded macros for execution. [1] Enterprise T1546 .003 Event Triggered Execution : Windows Management Instrumentation Event Subscription Rancor has complied VBScript-generated MOF files into WMI event subscriptions for persistence. [2] Enterprise T1105 Ingress Tool Transfer Rancor has downloaded additional malware, including by using certutil . [1] Enterprise T1566 .001 Phishing : Spearphishing Attachment Rancor has attached a malicious document to an email to gain initial access. [1] Enterprise T1053 .005 Scheduled Task/Job : Scheduled Task Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command. [1] Enterprise T1218 .007 System Binary Proxy Execution : Msiexec Rancor has used msiexec to download and execute malicious installer files over HTTP. [1] Enterprise T1204 .002 User Execution : Malicious File Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware. [1] Software ID Name References Techniques S0160 certutil [1] Archive Collected Data : Archive via Utility , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Subvert Trust Controls : Install Root Certificate S0255 DDKONG [1] Deobfuscate/Decode Files or Information , File and Directory Discovery , Ingress Tool Transfer , System Binary Proxy Execution : Rundll32 S0254 PLAINTEE [1] Abuse Elevation Control Mechanism : Bypass User Account Control , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Encrypted Channel : Symmetric Cryptography , Ingress Tool Transfer , Modify Registry , Process Discovery , System Information Discovery , System Network Configuration Discovery S0075 Reg [1] Modify Registry , Query Registry , Unsecured Credentials : Credentials in Registry References Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. Jen Miller-Osborn and Mike Harbison. (2019, December 17). Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia. Retrieved February 9, 2024. × load more results