1937CN is a hacking group that originates from China and has been given the label APT (Advanced Persistent Threat) by cybersecurity experts. Recently, a hacking tool, which is believed to be part of their vast arsenal gained some popularity. Namely, the NewCore RAT (Remote Access Trojan). It seems that the NewCore RAT was employed in an attack by 1937CN against government institutions situated in Vietnam. Once the NewCore RAT was detected by malware researchers, they took upon analyzing this threat and how it is being used by the cybercriminals.
1937CN propagates the NewCore RAT thanks to a vulnerability in older versions of the Microsoft Office pack called 'CVE-2012-0158.' This particular exploit is vulnerable to modified, corrupted RTF files. This allowed 1937CN to send fraudulent emails containing an infected RTF file attachment mimicking a legitimate document produced by the Vietnamese government to trick the victims into opening it. In case the users who open the corrupted RTF file has not updated their Microsoft Office suite, the Trojan downloader would have a green light to start wreaking havoc. The first step upon launch will be to gain persistence by modifying the Windows Registry. Afterward, it would establish a connection to a hardcoded Command & Control server. Before any further action, the Trojan downloader may collect information about the infected system's configuration, architecture, username, hardware, and network configuration, and send it to the attacker's servers as an encrypted string. In response, the C&C server sends several XOR-encrypted packages that the Trojan downloader decodes and uses to deploy the NewCore RAT.
The NewCore RAT also would also manipulate the Windows Registry to gain persistence much as the Trojan downloader did previously. This Remote Access Trojan has a myriad of tools at the disposal of its operators and would enable them to take screenshots, modify local files, receive information about the system infiltrated, restart or shut down the PC, send remote commands, download, upload, and execute files on the infected computer.
Hacking groups like 1937CN are relentless, and businesses, as well as government entities, cannot afford to overlook their cybersecurity practices.