New malware uses specially crafted UDP protocol for C&C Communications

Recently, cybersecurity Paloalto Networks discovered a new type of cyber espionage. The primary purpose was to use KHRAT backdoor Trojans for hacking activities targeting the countries of Southeast Asia. The main idea behind this is called a hacker group called RANCOR, using two new types of malicious software PLAINTEE. And DDKONG launched attacks on political groups in Singapore and Cambodia. Previously, the main attacker using the KHRAT Trojan horse program was DragonOK, an online spy organisation from China.

Researchers analysed two types of malicious software by examining the data communication between the KHRAT Trojan program and the remote server. PLAINTEE uses a customised UDP transmission protocol for remote communication. Hackers use different phishing methods to spread two types of malware, such as adding a malicious macro to an Excel file or adding an HTA loader or DLL loader to a phishing file.

The researchers also found that most of these fishing documents came from online news releases on political events and that the sources of these news were legitimate websites, including the official website of the Cambodian government and Facebook. PLAINTEE also downloads and installs other feature plug-ins from remote servers after installation. The entire process also uses custom UDP protocols. This poses new challenges for network security software vendors and requires the development of communications that can detect this UDP protocol. Another malicious software, DDKONG, has been widely used by hacking organisations since February 2017, but it does not use specific UDP protocols for communication.

Researchers’ current findings show that these two types of malware are mainly about cyber spying on political groups rather than on economic benefits. Given that the RANCOR hacker group is primarily targeting general users to launch attacks, it strongly recommends that these users do not just click on links in emails or office documents. Installing anti-virus software with active monitoring function can protect the operating system and update various applications in time.