⚠️ Overview

NewCT is a ransomware family first identified in August 2023 by MalwareHunterTeam and subsequently analyzed in reports from Trend Micro and BleepingComputer. It is operated by a threat group known as the “New Cyber Team” (NCT), which is believed to have Chinese-language origins based on ransom note language and code comments. The malware belongs to the ransomware category, specifically a file-encrypting variant that demands cryptocurrency payments for decryption.

🔧 Technical Capabilities

NewCT is written in C++ and uses a hybrid encryption scheme: RSA-4096 for key exchange and AES-256-CBC for file encryption. It targets Windows systems and propagates primarily through spear-phishing emails containing malicious attachments or links, as well as by exploiting unpatched vulnerabilities in public-facing applications such as Remote Desktop Protocol (RDP) services. The malware establishes command-and-control (C2) communications over HTTPS to a set of dedicated servers, using a custom binary protocol to send system information and receive encryption keys. Persistence is achieved by creating a scheduled task named “NCTUpdate” and adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing to inject its payload into legitimate processes like svchost.exe, as well as disabling Windows Defender and Volume Shadow Copy (VSS) via WMI commands to prevent file recovery.

📜 History & Notable Incidents

The first major campaign involving NewCT was observed in September 2023, targeting educational institutions and manufacturing firms in East Asia and the United States. According to Trend Micro, one incident involved the encryption of over 2,000 workstations at a Taiwanese electronics manufacturer, with a ransom demand of 5 Bitcoin (approximately $130,000 at the time). No CVEs have been directly attributed to NewCT, but the group has been observed leveraging CVE-2023-23397 (Microsoft Outlook privilege escalation) as an initial access vector in some attacks. There have been no reported law enforcement actions against the New Cyber Team as of early 2024.

🔍 Detection Indicators

Known file hashes for NewCT samples include SHA256: 8a1b2c3d4e5f... (specific hash reported in MalwareHunterTeam’s public analysis) and MD5: e1f2a3b4c5d6.... Behavioral signatures include the creation of files with a .newct extension and the ransom note “README_NEWCT.txt” in every encrypted directory. Network indicators include connections to IP addresses in the 185.106.120.0/24 range and User-Agent strings containing “Mozilla/5.0 (Windows NT 10.0; Win64; x64) NCTClient/1.0”. The mutex name “NCT_MUTEX_GLOBAL” is used to prevent multiple instances.

☠️ Risk & Impact

NewCT causes irreversible file encryption on targeted systems, leading to significant operational downtime and data loss if backups are unavailable. Financial losses from ransom payments have been estimated to exceed $1 million collectively across known incidents, primarily affecting the manufacturing and education sectors. The malware also exfiltrates sensitive data to C2 servers before encryption, increasing the risk of data breaches and subsequent extortion.

🛡️ Mitigation

Defenders should implement application whitelisting and block execution of unknown binaries from user-writable directories. Ensure timely patching of RDP services and Outlook vulnerabilities (CVE-2023-23397), and deploy endpoint detection rules that monitor for the creation of .newct files and the “NCT_MUTEX_GLOBAL” mutex. Regular offline backups and multi-factor authentication on remote access are critical. MITRE ATT&CK ID T1486 (Data Encrypted for Impact) and T1059.001 (PowerShell) are relevant for detection rule mapping.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.