Home Malware Programs Remote Administration Tools BlueCore RAT

BlueCore RAT

Posted: June 4, 2020

The BlueCore RAT is a custom-built Remote Access Trojan (RAT) that was first used by the Cycldek Advanced Persistent Threat (APT) group. This Trojan was built on the foundation of the NewCore RAT that the same cybercrime organization used in its older campaigns. The BlueCore RAT, however, appears to be used in targeted attacks against networks in Vietnam. However, some active BlueCore RAT implants also were discovered on systems in Laos and Thailand. Surprisingly, in some cases, the BlueCore RAT was found alongside the RedCore RAT, which might mean that the Cycldek operators may have infected the same victim more than once accidentally.

BlueCore RAT is usually spread with the use of weaponized RTF documents that might have been created with the help of Royal Road, an unsafe tool used by Chinese threat actors to create corrupted RTF documents frequently. Once initialized, the BlueCore RAT will gain persistence by abusing the Windows Registry, and it will store its configuration file under the name 'desktop.ini.'

The BlueCore RAT's features are almost identical to the ones seen in the NewCore RAT. Its operators can:

  • Execute remote commands and transmit the output to a control server.
  • Download files from the control server or a remote URL.
  • Transfer files between the infected host and the control server.
  • Reboot the system.

Cybersecurity researchers have been unable to find a reason why the Cycldek operators would use three separate RATs that share almost identical features and properties – BlueCore, RedCore and NewCore. However, one thing is for sure – the Cycldek hackers have proven their experience and expertise in the cybercrime field, and they have a reason to create and use this toolset, certainly.

Loading...