NewCT

Description

(FireEye) The first-stage payload for RATs called “CT/NewCT” used by both the Moafee and DragonOK attack groups employs an evasive “CPU core check” technique. The payload attempts to detect the number of processor cores in the running environment, by calling the ‘GetSystemInfo’ API, which returns a structure with system data, including number of cores. If only one core is detected, it quits. This probably is an attempt to detect virtualized environments such as sandboxes, as well as other analysis environments used by reverse engineers, which often tend to be configured with a single core. If the CPU core check detects more than one core, it implants the NewCT2 RAT in %temp%\MSSoap.DLL(some variants will use BurnDCSrv.DLL and IntelAMTPP.DLL) and executes the written file.

Names

Name
NewCT
CT

Type

Loader

Information

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:newct

Other Information

Uuid

6b4292bd-b44f-4f30-82f9-2ee15bdac87e

Last Card Change

2020-04-23

Threat Intelligence Garden

Explorer

NewCT

NewCT

Description

Names

Category

Type

Information

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks