Chinese Hacking Group Rancor Targets Southeast Asian Governments with Advanced Phishing Campaign
Phishing remains a prominent tactic employed by cybercriminals and espionage organizations to infiltrate target systems. Despite advancements in threat detection and increased public awareness over the past decade, sophisticated phishing attacks continue to pose a significant risk to both individuals and entities. Recent research by Check Point has revealed a particularly extensive campaign by a Chinese hacking group named Rancor, which has been actively targeting Southeast Asian government institutions.
The campaign conducted by Rancor spanned from December 2018 to June 2019 and was characterized by a series of well-orchestrated phishing assaults, meticulously crafted to exploit vulnerabilities within various government sectors. Researchers observed that the group continuously refined its tactics, techniques, and procedures (TTPs) during the seven-month operation in an effort to enhance the legitimacy of its phishing emails and documents.
Initial attacks involved sending emails that appeared to originate from employees of various government departments, embassies, or entities affiliated with Southeast Asian nations. Notably, the campaigns often spoofed email addresses to evoke greater trust among recipients, facilitating a higher likelihood of interaction with malicious attachments. The attackers demonstrated a determined focus on specific targets, frequently inundating employees under the same ministry with multiple email communications.
Different combinations of TTPs were identified throughout the campaign, leading researchers to classify the attacks into eight main variants. Each variant commenced with spear-phishing emails containing malicious documents designed to execute macros and exploit known vulnerabilities on target machines, thereby enabling unauthorized access to sensitive systems.
The documents used in these attacks typically contained legitimate government-related content, including official letters, employee directives, and surveys, which lent credibility to the malicious attachments. A notable component of these phishing attempts involved the use of trusted executables from well-known antivirus products, allowing attackers to sideload malicious dynamic link library (DLL) files while evading detection by conventional behavioral monitoring tools.
While some activities in the attack chains employed fileless techniques—such as utilizing VBA macros and PowerShell—researchers highlighted that many elements of the campaign resulted in blatantly malicious interactions with the file system. The attackers’ reliance on legitimate software for sideloading malware underscores their ability to bypass traditional security measures, presenting a formidable challenge to cybersecurity defenses.
Experts warn that the sustained nature of these attacks on governmental agencies is unprecedented, raising alarm bells as they coincide with upcoming election cycles in the United States. Researchers caution that Rancor’s methodologies could easily be adapted for future operations targeting U.S. governmental entities, merely requiring the modification of documents to English and aligning themes with the interests of potential victims.
Given its history of targeting nations like Cambodia and Singapore, Rancor’s focus on the Southeast Asian governmental sector reflects its strategic priority in the region. Analysts anticipate that the group will continue to evolve its tactics to outmaneuver detection mechanisms and maintain operational effectiveness.
The detailed research conducted by Check Point highlights the pressing need for vigilance among businesses and government organizations alike. As phishing tactics become increasingly sophisticated, entities must remain proactive in fortifying their cybersecurity defenses to mitigate risks associated with such persistent threats. For an in-depth analysis of the Rancor group’s activities and insights into effective countermeasures, the full report titled “Rancor: The Year of the Phish” is available on Check Point’s website.
In light of these developments, it is crucial for business owners to be aware of the ever-changing landscape of cyber threats, employing strategies aligned with the MITRE ATT&CK framework to bolster their defenses against potential adversarial tactics, including initial access, persistence, and privilege escalation.
