Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » New Malware Family Uses Custom UDP Protocol for C&C Communications

New Malware Family Uses Custom UDP Protocol for C&C Communications

Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.

According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.

However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK.

While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group’s arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server.

To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different infection vectors, including malicious macros inside Microsoft Office Excel file, HTA Loader, and DLL Loader, which includes decoy files.

“These decoys contain details from public news articles focused primarily on political news and events,” researchers explain. “Additionally, these decoy documents are hosted on legitimate websites including a government website belonging to the Cambodia Government and in at least once case, Facebook.”

Moreover, PLAINTEE downloads and installs additional plugins from its C&C server using the same custom UDP protocol that transmits data in encoded form.

“These families made use of custom network communication to load and execute various plugins hosted by the attackers,” researchers say. “Notably the PLAINTEE malware’ use of a custom UDP protocol is rare and worth considering when building heuristics detections for unknown malware.”

On the other hand, DDKONG has been in use by the hacking group since February 2017 and doesn’t have any custom communication protocol like PLAINTEE, though it is unclear whether one threat actor or more only use this malware.

According to researchers, the final payload of both malware families suggests that the purpose of both malware is to conduct cyber espionage on their political targets; instead of stealing money from their targets.

Since RANCOR group is primarily targeting non-tech-savvy users, it is always advised to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

Moreover, most importantly, make use of behavioral-based antivirus software that can detect and block such malware before it can infect your device, and always keep it and other apps up-to-date.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket