BlueCore RAT
The BlueCore RAT is a custom-built Remote Access Trojan (RAT) that was first used by the Cycldek Advanced Persistent Threat (APT) group. This Trojan was built on the foundation of the NewCore RAT that the same cybercrime organization used in its older campaigns. The BlueCore RAT, however, appears to be used in targeted attacks against networks in Vietnam. However, some active BlueCore RAT implants also were discovered on systems in Laos and Thailand. Surprisingly, in some cases, the BlueCore RAT was found alongside the RedCore RAT, which might mean that the Cycldek operators may have infected the same victim more than once accidentally.
BlueCore RAT is usually spread with the use of weaponized RTF documents that might have been created with the help of Royal Road, an unsafe tool used by Chinese threat actors to create corrupted RTF documents frequently. Once initialized, the BlueCore RAT will gain persistence by abusing the Windows Registry, and it will store its configuration file under the name 'desktop.ini.'
The BlueCore RAT's features are almost identical to the ones seen in the NewCore RAT. Its operators can:
- Execute remote commands and transmit the output to a control server.
- Download files from the control server or a remote URL.
- Transfer files between the infected host and the control server.
- Reboot the system.
Cybersecurity researchers have been unable to find a reason why the Cycldek operators would use three separate RATs that share almost identical features and properties – BlueCore, RedCore and NewCore. However, one thing is for sure – the Cycldek hackers have proven their experience and expertise in the cybercrime field, and they have a reason to create and use this toolset, certainly.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.