This post is also available in: 日本語 (Japanese)
Executive Summary
In late June 2018, Unit 42 revealed a previously unknown cyber espionage group we dubbed Rancor, which conducted targeted attacks in Southeast Asia throughout 2017 and 2018. In recent attacks, the group has persistently targeted at least one government organization in Cambodia from December 2018 through January 2019. While researching these attacks, we discovered an undocumented, custom malware family – which we’ve named Dudell. In addition, we discovered the group using Derusbi, which is a malware family believed to be unique to a small subset of Chinese cyber espionage groups.
Attack Details
Between early December 2018 and the end of January 2019, Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware on victim systems. January 2019 sent via 149.28.156[.]61 to deliver either Derusbi or KHRat samples with either cswksfwq.kfesv[.]xyz or connect.bafunpda[.]xyz as C2.
Malware Overview
DUDELL
SHA256
0d61d9baab9927bb484f3e60384fdb6a3709ca74bc6175ab16b220a68f2b349e
File Type
Microsoft Excel 97 – 2003 Document
File Name
Equipment Purchase List 2018-2020(Final).xls
Table 1. DUDELL properties
The DUDELL sample is a weaponized Microsoft Excel document that contains a malicious macro that runs on the victim’s machine. It shares the same malicious behavior reported by Checkpoint in Rancor: The Year of The Phish SHA-1 c829f5f9ff89210c888c1559bb085ec6e65232de. In Check Point’s blog, the sample is from December 2018 while this sample is from April 2018. It has the following metadata:
Codepage
1252
Author
MS
Last author
MS
A ..
Support the originator by clicking the read the rest link below.
