Orcus RAT employs advanced evasive techniques
A new, sophisticated campaign that delivers the Orcus Remote Access Trojan (RAT) is claiming victims in ongoing and targeted attacks.
Security company Morphisec identified the campaign after receiving notifications from its prevention solution at several deployment sites.
The attack employs a range of advanced evasive techniques to slip through the security net.
If the attack is successful, the Orcus RAT can steal browser cookies and passwords, launch distributed denial-of-service attacks, disable Web cam activity, record microphone input, spoof file extensions, log keystrokes and more.
Forensic data from the attack, captured by Morphisec's researchers, showed a high correlation to additional samples in the wild, indicating a single threat actor is behind multiple campaigns, including this one.
This threat actor focuses specifically on information stealing and .NET evasion, and employs unique strings in the malware.
Before executing the attacks, the campaign registers domains through FreeDns services. It also employs legitimate free text storage services such as paste, signs its executables, heavily misuses commercial .NET packers and embeds payloads within video files and images.
From the initial attack data, the researchers observed that the attack flow proceeds as follows: a persistent VBscript executes a PowerShell script that downloads a .NET executable obfuscated and encrypted by ConfuserEx. The downloaded executable performs known user access control bypass through event viewer registry hijacking to get the highest privileges.
The running process with the highest privileges downloads a legitimate Ramadan-themed Coca-Cola advertising video, which contains an embedded .NET Orcus RAT.
Michael Gorelik, CTO of Morphisec, says: "Based on the settings, the Orcus installs itself under program files within the Orcus folder, and it also validates the existence of a mutex to prevent double infection. To mitigate the threat, IT admins may validate the existence of the notepad++ false certificate on disk files. In addition, they can sniff the network, and identify what is leaving the network to the specified URLs."
The Orcus RAT masquerades as a legitimate remote administration tool, although it is clear from its features and functionality that it is not and was never intended to be, he adds. Until a few weeks ago, it was publicly sold and licensed by an organisation calling itself Orcus Technologies.
"Given that Orcus RAT was recently made freely available, we expect to see more attacks delivering new Orcus RAT variants as a payload," he says.
This latest threat highlights that although businesses try to bolster their security defences, threat actors, if determined enough, will find ways to bypass them, he concludes.