Southeast Asia has come under increased cyber attacks throughout 2017 and 2018, according to threat intelligence findings from Palo Alto Networks.
According to a blog posting last week, the threats appear to be highly targeted not just in how the malware used is distributed but also in the targets chosen for attack.
As a result, this leads to the conclusion that the attacks are for espionage purposes, according to investigations by Unit 42.
The attacks use previously unknown malware families with the attackers at this stage so far unidentified. But Unit 42 has dubbed the group Rancor and the malware used as DDKONG and PLAINTEE.
Specifically, DDKONG has been used throughout this targeted campaign and has been known to be in use since February 2017, but in the case of PlAINTEE, it appears to be a new addition to the hacker's toolkit with the earliest detection from October 2017.
The primary targets for these attacks seem to be Singapore and Cambodia.
Channel Asia also understands that the primary targets of these attacks are political entities, based on the nature of the attacks and how they start with the sending of a decoy file, with phishing messages that are of a political nature.
Furthermore, according to research carried out by Unit 42, these decoy documents are hosted on legitimate websites that belong to the Cambodia Government, and in at least one case, Facebook.
This research is a follow from the KHRAT Trojan that targeted Cambodian citizens in 2017 and it appears that in February 2018, several KHRAT associated domains began resolving to a particular IP address that subsequently became part of the investigation.
Passive DNS records show that several domain names associated with this IP address mimic popular technology companies such as Facebook.
It is notable that the PLAINTEE malware used a custom UDP protocol, which is rare and worth considering when building detections for unknown malware.
Mitigations that could help prevent attacks like these from succeeding in your environment, according to Unit 42, is to change the default handler for “.hta” files in your environment so that they cannot be directly executed.
