Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Windows | defense-evasion, execution | Signed Binary Proxy Execution | Rancor has used msiexec to download and execute malicious installer files over HTTP. |
Process monitoring, Process command-line parameters |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | Rancor has attached a malicious document to an email to gain initial access. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | Rancor has downloaded additional malware, including by using certutil. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command. |
File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | Rancor has used shell and VBS scripts as well as embedded macros for execution. | Process monitoring, File monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | Rancor has used HTTP for C2. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Linux, macOS, Windows | execution | Command-Line Interface | Rancor has used cmd.exe to execute commmands. | Process monitoring, Process command-line parameters |
| Linux, Windows, macOS | execution | User Execution | Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware. | Anti-virus, Process command-line parameters, Process monitoring |