{ "id": "e43fa4a7-af59-4364-9943-fa1f6ac3302d", "created_at": "2026-04-06T00:08:42.702326Z", "updated_at": "2026-04-10T03:37:19.321855Z", "deleted_at": null, "sha1_hash": "b8c0b74b66479f1e6251ed7621c758865e39e2ec", "title": "Rehashed RAT Used in APT Campaign Against Vietnamese Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1887997, "plain_text": "Rehashed RAT Used in APT Campaign Against Vietnamese\r\nOrganizations\r\nPublished: 2017-09-05 · Archived: 2026-04-05 14:59:34 UTC\r\nRecently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-\r\n0158. To evade suspicion from the victim, these RTF files drop decoy documents containing politically themed\r\ntexts about a variety of Vietnamese government-related information. It was believed in a recent report that the\r\nhacking campaign where these documents were used was led by the Chinese hacking group 1937CN. The link to\r\nthe group was found through malicious domains used as command and control servers by the attacker. In this\r\nblog, we will delve into the malware used in this campaign and will try to provide more clues as to the instigator\r\nof this campaign.\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 1 of 13\n\nSample decoy documents\r\nWhen the documents are opened, they drop several files in one of the following folders:\r\n %AppData%\\Microsoft\\Credentials\r\n%AppData%\\Microsoft\\SystemCertificates\r\n%AppData%\\Microsoft\\Windows\\Templates\r\nSome samples drop the following files: \r\nTaskeng.exe – signed legitimate GoogleUpdate.exe version 1.3.33.5\r\nPsisrndrx.ebd – encrypted blob containing malware file\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 2 of 13\n\nGoopdate.dll – decrypter and loader of malware file\r\nSome drop the following files:\r\nSC\u0026Cfg.exe – signed legitimate McAfee AV application\r\nVsodscpl.dll – contains the malware file\r\nOthers drop the following files:\r\nSystemm.exe - signed legitimate GoogleUpdate.exe version 1.3.30.3\r\nSystemsfb.ebd - encrypted blob containing malware file\r\nGoopdate.dll – decrypter and loader of malware file\r\nSimilar to other APT attacks, such as MONSOON APT, this APT uses DLL hijacking to evade the behavior\r\nmonitoring technologies of security programs.\r\nDLL Hijacking\r\nDLL hijacking is a technique used by some APT malware in which instead of the legitimate application (.exe)\r\nloading the benign DLL, the application is tricked into loading a DLL containing malicious code. This technique\r\nis employed to evade Host Intrusion Prevention System (HIPS) of security programs that monitor the behaviors of\r\nexecuted files. Most HIPS tools whitelist signed or trusted files, thereby excluding malware loaded using DLL\r\nhijacking by signed files from behavior monitoring.\r\nIn the context of this attack, taskeng.exe and SC\u0026Cfg.exe are signed legitimate applications; however, they are\r\ntricked into loading malware that are disguised as the legitimate Goopdate.dll and Vsodscpl.dll files.\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 3 of 13\n\nTaskeng.exe and SC\u0026Cfg.exe file information\r\nNext, Taskeng.exe needs to load and import some functions from the original Goopdate.dll file; however, the\r\nGoopdate.dll was hijacked to contain malicious code, effectively changing the original code execution to\r\nexecution of the malicious code.\r\nSnippet from taskenge.exe that loads goopdate.dll\r\nIn the same fashion, SC\u0026Cfg.exe imports the “dll_wWinMain” function from the original vsodscpl.dll, but this\r\nDLL was hijacked as well, and also contains malicious code.\r\nSC\u0026Cfg.exe import table containing import from vsodscpl.dll\r\nOnce the malicious DLLs are loaded, the DLLs decrypt (from psisrndrx.ebd (1st case) or from its body (2nd case))\r\nand load a Trojan downloader. The Trojan downloader is a DLL file. It is not dropped on disk but is only executed\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 4 of 13\n\nin memory. Also, the actual Trojan downloader in memory when dumped will not run. This is because the ‘MZ’ in\r\nthe IMAGE_DOS_HEADER, the DOS stub, and the ‘PE’ signature were deliberately removed. This was done to\r\nprevent the dumped file from being analyzed properly in a debugger and decompiler. However, we can easily fix\r\nthe dump by adding the ‘MZ’, a DOS stub, and the ‘PE’ signature.\r\nMissing header items as anti-analysis\r\nThis Trojan downloader downloads a RAT (Remote Access Trojan), which we will call “NewCore” RAT, from the\r\nfollowing domains:\r\nweb.thoitietvietnam.org\r\ndalat.dulichovietnam.net\r\nhalong.dulichculao.com\r\nTrojan Downloader\r\nThe Trojan downloader first creates an autostart registry entry so it runs whenever the machine is rebooted:\r\nHKLM/HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nMicrosoft Windows Media = “%AppData%\\Microsoft\\Credentials\\.exe”\r\nAs an anti-VM, it checks whether the environment has the registry key:\r\nHKCR\\Applications\\VMwareHostOpen.exe\r\nBefore it can download the NewCore RAT, it needs to send the following information to the C\u0026C server:\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 5 of 13\n\nOS version\r\nProcessor speed\r\nNumber of processors\r\nPhysical memory size\r\nComputer name\r\nUser name\r\nUser privilege\r\nComputer IP address\r\nVolume serial number\r\nThe above information is converted to its hex string representation, and then sent to the C\u0026C server via HTTP\r\nGET:\r\nGET request to the C\u0026C server\r\nThe response is an XOR encrypted data that includes the encrypted NewCore RAT.\r\nResponse from the server\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 6 of 13\n\nXOR decryption of response from the C\u0026C server\r\nNewCore Remote Access Trojan\r\nWe named this RAT ‘NewCore’ after we found the project name used by the author, which is indicated on the\r\nfollowing PDB file string:\r\nMalware project name\r\nAccording to its compilation time stamp, this malware was compiled on March 16, 2017.\r\nCompilation time\r\nHowever, as of this writing, only a few Antivirus engines, including Fortinet detect this malware according to\r\nVirusTotal.\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 7 of 13\n\nVirusTotal positives\r\nThis RAT is a DLL file. Its malicious routines are contained in its imported function “ProcessTrans”. However,\r\nexecuting the DLL without using the downloader will not work as the C\u0026C server string is not embedded in its\r\nbody. When the downloader calls the function “ProcessTrans”, it supplies to the function the C\u0026C server string\r\nand a handle to the C\u0026C server internet session. In this case, Heuristic detection based on behavior will not work\r\non the DLL alone.\r\nThis RAT is capable of the following:\r\nShutdown the machine\r\nRestart the machine\r\nGet disk list\r\nGet directory list\r\nGet file information\r\nGet disk information\r\nRename files\r\nCopy files\r\nDelete files\r\nExecute files\r\nSearch files\r\nDownload files\r\nUpload files\r\nScreen monitoring\r\nStart command shell\r\nShutdown and restart machine commands\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 8 of 13\n\nFile manager, monitor screen, command shell commands\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 9 of 13\n\nFile manager subcommands\r\nBased on the strings found in its body, this malware may have been derived from the PcClient and PcCortr\r\nbackdoors whose source codes are publicly available, especially on Chinese language coding forums. PcClient\r\ndetections usually include PcCortr.\r\nStrings related to PcCortr modules\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 10 of 13\n\nPcClient and PcCortr source codes can be downloaded from Chinese coding forums\r\nPcClient was used in the past by some APT groups such as Nitro, which were also linked to a China-based hacker.\r\nAccording to the PDB file string embedded in the NewCore RAT body, the creator of the project is someone using\r\nthe handle “hoogle168”.\r\nWe have little clue as to who this individual is, so we tried to look for information about this handle. Our\r\ninvestigation led us to several Chinese language forum pages. Looking at these forums, it seems like a user using\r\nthe handle “hoogle168” is very active on a certain coding forums, and is proficient in C and VC++. This user even\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 11 of 13\n\nreplied to a thread and gave advice on what to learn to develop remote control software. We don’t know for sure if\r\nthis person is the NewCore author.\r\nSolution:\r\nTo prevent triggering this RTF exploit, it is important to apply the patches released by Microsoft that cover CVE-2012-0158 vulnerability.\r\nFortinet also covers detection for these threats as MSOffice/Dropper!exploit.CVE20120158 for the malicious RTF\r\nfiles, and W32/NewCore.A!tr.bdr for the payload.\r\nC\u0026C URLs were also blocked using Fortinet's FortiGuard Web Filtering.\r\nConclusion:\r\nNewCore RAT may just be a rehashed PcClient RAT, but it proves to be effective in evading AV detection by\r\nusing a combination of simple techniques such as DLL-hijacking, file-less execution of downloaded malware, and\r\npassing C\u0026C information as parameter from downloader to the downloaded file.\r\nAs always, Fortiguard Labs will keep an eye on threats like NewCore to protect our customers against these\r\nthreats.\r\nThank you to Tien Phan for additional insights.\r\n-= FortiGuard Lion Team =-\r\nIOCs:\r\nLure:\r\n2a4e8ae006be3a5ed2327b6422c4c6f8f274cfa9385c4a540bc617bff6a0f060\r\n3faacef20002f9deb1305c43ea75b8422fd29a1559c0cf01cf1cee6a1b94fc0e\r\n5bdbf536e12c9150d15ae4af2d825ff2ec432d5147b0c3404c5d24655d9ebe52\r\n14b4d8f787d11c7d72f66231e80997ef6ffa1d868d9d8f964bea36871e1c2ff2\r\n637c156508949c881763c019d2dca7c912da9ec63f01e3d3ba604f31b36e52ab\r\n5573f6ec22026b0c00945eec177f04212492bb05c33b4b80f73c65ce7fe5119a\r\n00466938836129a634b573d2b57311200ab04aba7252cfbf6b77f435612ca6c6\r\nc375946ba8abee48948f79a89ea5b4f823d8287c2feb3515755b22ba5bd8849d\r\nf6a4bab7d5664d7802f1007daa04ae71e0e2b829cd06faa9b93a465546837eb4\r\nfabf4debacb7950d403a84f4af25c084d0b576783006d334052ebf7ea432196e\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 12 of 13\n\nLoader:\r\n9cebae97a067cd7c2be50d7fd8afe5e9cf935c11914a1ab5ff59e91c1e7e5fc4\r\nea5b3320c5bbe2331fa3c0bd0adb3ec91f0aed97709e1b869b79f6a604ba002f\r\nTrojan Downloader:\r\nedbcc384b8ae0a2f52f239e2e599c3d2053f98cc1f4bc91548ec420bec063be6\r\n49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966\r\ndf8475669a14a335c46c802f642dd5569c52f915093a680175c30cc9f28aacdb\r\nNewCore RAT:\r\n37bd97779e854ea2fc43486ddb831a5acfd19cf89f06823c9fd3b20134cb1c35\r\nCommand and Control Servers:\r\nweb.thoitietvietnam.org\r\ndalat.dulichovietnam.net\r\nhalong.dulichculao.com\r\nSign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging\r\nthreats.\r\nSource: https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nhttps://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html" ], "report_names": [ "rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "f21d7691-a720-46bb-81d7-11edb9f73eba", "created_at": "2023-11-08T02:00:07.126478Z", "updated_at": "2026-04-10T02:00:03.420826Z", "deleted_at": null, "main_name": "1937CN", "aliases": [], "source_name": "MISPGALAXY:1937CN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434122, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8c0b74b66479f1e6251ed7621c758865e39e2ec.pdf", "text": "https://archive.orkl.eu/b8c0b74b66479f1e6251ed7621c758865e39e2ec.txt", "img": "https://archive.orkl.eu/b8c0b74b66479f1e6251ed7621c758865e39e2ec.jpg" } }