- Version 1.1
- Download 5478
- File Size 4.00 KB
- Create Date June 27, 2020
Orcus RAT is a Remote Access Trojan that is active since 2016. Orcus was developed by a malware author who goes under the name ‘Sorzus’. This RAT has been sold for $40 since April 2016, with the ability to build custom plugins. Orcus RAT is primarily distributed via spear-phishing emails and drive-by-downloads.
- Orcus RAT is primarily distributed via spear-phishing emails and drive-by-downloads.
- Its capabilities include keylogging, stealing system information and credentials, taking screenshots, recording audio/video, real-time scripting, and more.
Capabilities of Orcus RAT
- Keylogging and remote administration
- Stealing system information and credentials
- Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light
- Executing remote code execution and Denial-of-Service
- Exploring/editing registry
- Detecting VMs
- Reverse Proxying
- Real Time Scripting
- Advanced Plugin System
Orcus RAT distributed via decoy Word document
Researchers spotted a malspam campaign distributing Orcus RAT via malicious Microsoft Word documents.
- The phishing emails included a malicious MS Word document.
- Upon opening the document, an automatic download of a malicious RTF file is triggered.
- This RTF file deploys a remote code execution (RCE) exploit (CVE-2017-8759), which drops the Orcus RAT on the victims’ systems.
Orcus RAT targets bitcoin investors
A phishing campaign disguised as email marketing for the new bitcoin trading bot 'Gunboat' distributed to Orcas RAT.
The email marketing for 'Gunboat' involved a zip attachment in a phishing email sent to bitcoin investors.
The zip attachment contained a visual basic script disguised as a JPEG image file.
The malicious VB script downloads a binary that distributes and executes the Orcus RAT.
Tax-themed Phishing Campaigns
In January 2018, researchers spotted various tax-related phishing campaigns targeting US taxpayers with a range of RATs, including RACS, Netwire, and Reckos RAT.
Ramadan-themed Coca-Cola video distributes Orcus RAT
In February 2019, researchers spotted a malware campaign distributing Orcas RAT inside Ramadan-themed Coca-Cola videos. Upon clicking on the video, a series of downloads and processes were started, including:
Searching and hijacking a process using the User Access Control (UAC) bypass technique
Downloading and executing RAT attached to video
Storing data and sending it back to the attackers' C&C server
Badla RAT and Orcas RAT
In a recent swamp campaign, researchers observed a threatened actor delivering two popular remote access trojans to launch attacks against various organizations against various sectors. Targeted areas include financial services, information technology, consulting and government institutions.
Malespam emails are meant to come from various businesses such as the Better Business Bureau (BBB), the Australian Competition and Consumer Commission (ACCC), the Ministry of Business Innovation and Employees (MBIE) and other regional agencies.
The email contained zip archives containing malicious batch files responsible for recovering the malicious PE32 file and leaving the Orcus RAT and Revenge RAT on the victims' systems.