The BlueCore RAT (Remote Access Trojan) is a hacking tool that belongs to the arsenal of the Cycldek hacking group. The Cycldek APT (Advanced Persistent Threat) is likely to originate from China and tends to go after political institutions and high-ranking politicians in South East Asia. Most of the targets of the Cycldek group’s latest campaigns are located in Laos, Vietnam and Thailand.
The BlueCore RAT has been utilized against targets located in Vietnam, mainly. However, cybersecurity researchers have spotted the BlueCore RAT present on compromised systems located in Thailand and Laos. The Cycldek APT appears to have used the BlueCore RAT in combination with another one of their custom-built hacking tools, dubbed RedCore RAT. This is likely done by mistake, as it is unlikely that the Cycldek group intended to use both hacking tools one the same hosts.
It would appear that the BlueCore RAT has been spread with the help of corrupted RTF documents. The documents in question have likely been created via a tool known as Royal Road. This tool is often utilized by Chinese hackers to spawn weaponized RTF documents. To obtain persistence on the infected host, the BlueCore RAT would tamper with the Windows Registry and name its configuration file ‘desktop.ini.’
The BlueCore RAT is based on one of the most popular hacking tools developed by the Cycldek APT named NewCore RAT. This is why its features are nearly identical to the ones of the NewCore RAT. The BlueCore RAT allows the Cycldek group to:
- Restart the infected computer.
- Download files from a URL or the C&C (Command & Control) server of the attackers.
- Exchange files between the C&C server and the compromised host.
- Execute remote commands and provide the C&C server with the output of the activities.
The BlueCore RAT is a threat that can cause a lot of damage to a compromised system. It is best to protect your computer against cyber crooks by investing in a genuine anti-virus software suite.