NewCore RAT
The NewCore RAT is a hacking tool that might be part of the arsenal of a Chinese APT group that goes by the name 1937CN. One of the recent campaigns involving the NewCore RAT targeted government entities in Vietnam, and it allowed malware researchers to dissect and analyze the infection vector used to deploy the NewCore RAT on the compromised computer.
The attack begins when the target receives a bogus email message that contains an RTF file attachment that is disguised as a Vietnamese government document. The RTF document is modified to attempt to exploit the ‘CVE-2012-0158’ vulnerability that requires the use of a corrupted RTF file an outdated version of the Microsoft Office software suite. If the victim’s software is not up-to-date, the RTF file supplied by the attackers might initiate the attack by deploying several files whose purpose is to start a Trojan downloader and modify the Windows Registry to give it persistence. Naturally, the purpose of the downloader is to introduce the NewCore RAT to the victim’s machine – this happens after the Trojan establishes a remote connection with the attacker’s server, and transmits information about the architecture, hardware, and software settings of the compromised system. The response returned by the Command & Control server contains XOR encrypted data and an obfuscated XOR key that enables the Trojan downloader to unpack and execute the final payload.
Once the NewCore RAT is activated, it may do the same as the Trojan downloader and modify the Windows Registry to acquire persistence immediately. The RAT features a broad range of modules that would allow its operators to carry out the following operations on the compromised system:
- Execute shutdown or restart commands.
- Receive file system information.
- Modify local files.
- Download and execute files on the targeted machine.
- Upload and execute files.
- Grab screenshots.
- Send remote command shell commands.
The best way to protecting yourself from the NewCore RAT and similar threats is to follow the latest security practices and use a trustworthy anti-malware application.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.