Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems.
Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years.
Since phishing is more sort of a one-time opportunity for hackers before their victims suspect it and likely won’t fall for the same trick again, sophisticated hacking groups have started putting a lot of effort, time and research to design well-crafted phishing campaigns.
In one such latest campaign discovered by cybersecurity researchers at Check Point, a Chinese hacking group, known as Rancor, has been found conducting very targeted and extensive attacks against Southeast Asian government entities from December 2018 to June 2019.
What’s interesting about this ongoing 7-month long campaign is that over this period, the Rancor group has continuously updated tactics, tools, and procedures (TTP) based on its targets in an effort to come up with phishing email contents and lure documents appear being as convincing as possible.
Continuously Evolving Tactics, Tools, and Procedures
Researchers discovered different combinations of TTP based on their timeline, delivery, persistence, and payloads, and then combined them into 8 major variants, as listed below in this article.
Each attack variant started with a classic spear-phishing email containing a malicious document designed to run macros and exploit known vulnerabilities to install a backdoor on the victims’ machines and gain full access to the systems.
Most of the delivery documents in this campaign contained legitimate government-related topics, like instructions for governmental employees, official letters, press releases, surveys, and more, appeared to be sent from other government officials.
Interestingly, as part of the infection chain, in most campaigns, attackers also bring their own legitimate, signed and trusted executables of major antivirus products to side-load malicious DLLs (dynamic link library) files to evade detection, especially from behavioral monitoring products.
As shown in the illustrations above, the abused legitimate executables belong to antivirus products including a component of Avast antivirus, BitDefender agent and Windows defender.
Though the attack chains involve fileless activities like usage of VBA macros, PowerShell code, and legitimate Windows built-in tools, this campaign is not designed to achieve a fileless approach as the researchers told The Hacker News that other parts of the campaign expose malicious activities to the file system.
Rancor hacking group has previously been found attacking Cambodia and Singapore and continued its operations against entities within the Southeast Asia region, and this time the group has put 7 months of its effort on targeting the Southeast Asian government sector.
To learn more about the Rancor group and its latest campaign, you can head on to the CheckPoint report titled, “Rancor: The Year of the Phish.”