NewCore RAT

Description

(Fortinet) This RAT is a DLL file. Its malicious routines are contained in its imported function “ProcessTrans”. However, executing the DLL without using the downloader will not work as the C&C server string is not embedded in its body. When the downloader calls the function “ProcessTrans”, it supplies to the function the C&C server string and a handle to the C&C server internet session. In this case, Heuristic detection based on behavior will not work on the DLL alone.

This RAT is capable of the following:

• Shutdown the machine • Restart the machine • Get disk list • Get directory list • Get file information • Get disk information • Rename files • Copy files • Delete files • Execute files • Search files • Download files • Upload files • Screen monitoring • Start command shell

NewCore RAT may just be a rehashed PCClient RAT, but it proves to be effective in evading AV detection by using a combination of simple techniques such as DLL-hijacking, file-less execution of downloaded malware, and passing C&C information as parameter from downloader to the downloaded file.

Names

Name
NewCore RAT

Category

Malware

Type

• Reconnaissance
• Backdoor
• Keylogger
• Info stealer
• Exfiltration
• Tunneling

Information

• https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html
• https://securelist.com/cycldek-bridging-the-air-gap/97157/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:NewCore

Other Information

Uuid

55a366cc-0771-4854-85a3-5eed99e33f9e

Last Card Change

2020-06-04