Openhunting Threat Library

DDKONG

DDKONG
(Type: Backdoor)

(Palo Alto) The malware in question is configured with the following three exported functions: • ServiceMain • Rundll32Call • DllEntryPoint The ServiceMain exported function indicates that this DLL is expected to be loaded as a service. If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe. The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. If it’s not, it dies. This ensures that only a single instance of DDKong is executed at a given time.

[News Analysis] Trends:

Total Trend: 5

Trend Per Year
1
2018
1
2019
2
2020
1
2022


Trend Per Month
1
Jun 2018
1
Dec 2019
1
2020
1
Jan 2020
1
Jul 2022



[News Analysis] News Mention Another Threat Name:

17 - DDKONG4 - KHRAT17 - PLAINTEE3 - RANCOR10 - BLACKCOFFEE10 - Cotx RAT10 - Datper11 - Derusbi10 - Icefog10 - Korlia10 - NewCore RAT10 - Poison Ivy10 - Sisfader6 - Aveo6 - IsSpace6 - PlugX6 - Rambo6 - DragonOK


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
0/36
persistence
0/113
privilege escalation
0/96
defense evasion
2/184
credential access
0/63
discovery
1/44
lateral movement
0/22
collection
0/37
command and control
1/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1140
Deobfuscate/decode Files Or Information
T1218.011
System Binary Proxy Execution : Rundll32
T1083
File And Directory Discovery
T1105
Ingress Tool Transfer


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Rancor Taurus

2022-07-18 by Unit 42 from Palo Alto Networks Unit 42

An Overhead View of the Royal Road

2020-01-29 by nao_sec from nao_sec blog

BRONZE OVERBROOK

2020 by SecureWorks from Secureworks

Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia

2019-12-17 by Jen Miller-Osborn from Palo Alto Networks Unit 42

RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families

2018-06-26 by Brittany Ash from Palo Alto Networks Unit 42

Basic Information (Credit @etda.or.th)

Tool: DDKONG

Names: DDKONG

Description: (Palo Alto) The malware in question is configured with the following three exported functions: • ServiceMain • Rundll32Call • DllEntryPoint The ServiceMain exported function indicates that this DLL is expected to be loaded as a service. If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe. The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. If it’s not, it dies. This ensures that only a single instance of DDKong is executed at a given time.

Category: Malware

Type: Backdoor

Information: https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

Mitre-attack: https://attack.mitre.org/software/S0255/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:DDKONG

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1140
DEOBFUSCATE/DECODE FILES OR INFORMATION
ddkong decodes an embedded configuration using xor.
T1218.011
SYSTEM BINARY PROXY EXECUTION : RUNDLL32
ddkong uses rundll32 to ensure only a single instance of itself is running at once.
T1083
FILE AND DIRECTORY DISCOVERY
ddkong lists files on the victim’s machine.
T1105
INGRESS TOOL TRANSFER
ddkong downloads and uploads files on the victim’s machine.