สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency

Report

Home > List all groups > List all tools > List all groups using tool NewCore RAT

Threat Group Cards: A Threat Actor Encyclopedia

Tool: NewCore RAT

Names	NewCore RAT
Category	Malware
Type	Reconnaissance, Backdoor, Keylogger, Info stealer, Exfiltration, Tunneling
Description	(Fortinet) This RAT is a DLL file. Its malicious routines are contained in its imported function “ProcessTrans”. However, executing the DLL without using the downloader will not work as the C&C server string is not embedded in its body. When the downloader calls the function “ProcessTrans”, it supplies to the function the C&C server string and a handle to the C&C server internet session. In this case, Heuristic detection based on behavior will not work on the DLL alone. This RAT is capable of the following: • Shutdown the machine • Restart the machine • Get disk list • Get directory list • Get file information • Get disk information • Rename files • Copy files • Delete files • Execute files • Search files • Download files • Upload files • Screen monitoring • Start command shell NewCore RAT may just be a rehashed PCClient RAT, but it proves to be effective in evading AV detection by using a combination of simple techniques such as DLL-hijacking, file-less execution of downloaded malware, and passing C&C information as parameter from downloader to the downloaded file.
Information	<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html> <https://securelist.com/cycldek-bridging-the-air-gap/97157/>
Malpedia	<https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat>
AlienVault OTX	<https://otx.alienvault.com/browse/pulses?q=tag:NewCore>

Last change to this tool card: 04 June 2020

Download this tool card in JSON format

Previous: Neutrino POS
Next: NewCT

All groups using tool NewCore RAT

Changed	Name	Country	Observed
APT groups
	Goblin Panda, Cycldek, Conimes		2013-Jun 2020
	Naikon, Lotus Panda		2010-Apr 2022

2 groups listed (2 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Report incidents

+66 (0)2-123-1227

[email protected]