ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool NewCT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: NewCT

Description(FireEye) The first-stage payload for RATs called “CT/NewCT” used by both the Moafee and DragonOK attack groups employs an evasive “CPU core check” technique. The payload attempts to detect the number of processor cores in the running environment, by calling the 'GetSystemInfo' API, which returns a structure with system data, including number of cores. If only one core is detected, it quits. This probably is an attempt to detect virtualized environments such as sandboxes, as well as other analysis environments used by reverse engineers, which often tend to be configured with a single core. If the CPU core check detects more than one core, it implants the NewCT2 RAT in %temp%\MSSoap.DLL(some variants will use BurnDCSrv.DLL and IntelAMTPP.DLL) and executes the written file.
AlienVault OTX<>

Last change to this tool card: 23 April 2020

Download this tool card in JSON format

All groups using tool NewCT


APT groups

 DragonOKChina2015-Jan 2017 

1 group listed (1 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]