ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool NewCore RAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: NewCore RAT

NamesNewCore RAT
CategoryMalware
TypeReconnaissance, Backdoor, Keylogger, Info stealer, Exfiltration, Tunneling
Description(Fortinet) This RAT is a DLL file. Its malicious routines are contained in its imported function “ProcessTrans”. However, executing the DLL without using the downloader will not work as the C&C server string is not embedded in its body. When the downloader calls the function “ProcessTrans”, it supplies to the function the C&C server string and a handle to the C&C server internet session. In this case, Heuristic detection based on behavior will not work on the DLL alone.

This RAT is capable of the following:

• Shutdown the machine
• Restart the machine
• Get disk list
• Get directory list
• Get file information
• Get disk information
• Rename files
• Copy files
• Delete files
• Execute files
• Search files
• Download files
• Upload files
• Screen monitoring
• Start command shell

NewCore RAT may just be a rehashed PCClient RAT, but it proves to be effective in evading AV detection by using a combination of simple techniques such as DLL-hijacking, file-less execution of downloaded malware, and passing C&C information as parameter from downloader to the downloaded file.
Information<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>
<https://securelist.com/cycldek-bridging-the-air-gap/97157/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:NewCore>

Last change to this tool card: 03 June 2020

Download this tool card in JSON format

Previous: Neutrino POS
Next: NewCT

All groups using tool NewCore RAT

ChangedNameCountryObserved

APT groups

 Goblin Panda, Cycldek, ConimesChina2013-Jun 2020 
 Naikon, Lotus PandaChina2012-2017 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key