ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool NewCT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: NewCT

NamesNewCT
CT
CategoryMalware
TypeLoader
Description(FireEye) The first-stage payload for RATs called “CT/NewCT” used by both the Moafee and DragonOK attack groups employs an evasive “CPU core check” technique. The payload attempts to detect the number of processor cores in the running environment, by calling the 'GetSystemInfo' API, which returns a structure with system data, including number of cores. If only one core is detected, it quits. This probably is an attempt to detect virtualized environments such as sandboxes, as well as other analysis environments used by reverse engineers, which often tend to be configured with a single core. If the CPU core check detects more than one core, it implants the NewCT2 RAT in %temp%\MSSoap.DLL(some variants will use BurnDCSrv.DLL and IntelAMTPP.DLL) and executes the written file.
Information<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:newct>

Last change to this tool card: 23 April 2020

Download this tool card in JSON format

Previous: NewCore RAT
Next: NewCT2

All groups using tool NewCT

ChangedNameCountryObserved

APT groups

XDragonOKChina2015-Jan 2017 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key