itjd has been tracking a new Remote Access Trojan ( Orcus Rat Complete Tutorial ), known as “orlas”, since April 2016 for $ 40 USD. Although Orcus has all the distinctive features of RAT malware, it allows users to build custom plugins and also has a modular architecture for better management and scalability. The purpose of this blog is to highlight some of the capabilities and effects seen so far of this new RAT family.
Orcus Rat Complete Tutorial
Before discussing the details of this RAT family, let’s discuss how Orcus became a commercially sold RAT. Around October 2015, the developer of Orcas, going by the nickname “Sorzus”, was posting a thread on a hacker forum about a RAT he was developing, how it could be published, Requesting a response to this. The developer then named the tool “Snorkel”, German for “Snorkel”.
The figure below shows the early versions of Orcus when it was being developed. It is interesting to see that the developer details mentioned on the earlier version indicates “Vincent (Alkalinee)”, and we are also aware that ‘Alkalinee’ was the alias which was being used by the developer before taking the new alias of ‘Sorzus’. (This also suggests that the real name of the Orcus developer may be ‘Vincent’.)
The developer had shared intentions to publish the RAT for free and make it open-source. However, some of the users in the forum responded, advising to make it commercial instead of sharing it for free or making it open source, citing that the source code would eventually be used by others to repackage and sell it as a new RAT. One forum user, alias “Armada”, offered to assist “Sorzus” on helping out with publishing the tool and apparently became Sorzus’ eventual partner. || Orcus Rat Complete Tutorial
“Sorzus” and “Armada” are believed to be the two main individuals currently managing the sales and development of Orcus. Brian Krebs published a blog a few weeks ago disclosing details of the individual who has been supposedly known to be the person behind Orcus. Our analysis suggests that ‘Sorzus’ is the main developer of the RAT and ‘Armada’ is mostly responsible for sales and support of the tool.
Architecture
Orcus is developed using C# with the Windows administration/controller component developed using WPS (Windows Presentation Foundation), which is used to render user interfaces in Windows based systems. Orcus has three main components to its architecture: Orcus controller, Orcus Server and the trojan binary which is deployed on a victim machine. The delivery vectors vary, ranging from a spear phishing attack using the malware binary with the email, having a hyperlink with a download link to the Orcus malware binary, or even using drive-by download methods. || Orcus Rat Complete Tutorial
In most RAT malware, once a victim has been infected, the malware connects back to the admin panel of the attacker to send data and provide control to the infected machine. However, if a victim machine is infected with an Orcus RAT, it connects back to the Orcus server which does not have the admin panel on it. Orcus has a separate component for the admin panel (Orcus controller) which enables control of all infected machines from the Orcus controller. This set up offers multiple benefits to the cyber criminals using Orcus. For example, they are able to share access to victim machines by accessing a single Orcus server which would enable a group of cyber criminals working together to better manage their infected victim networks and also allow scalability of their Orcus network by deploying multiple ‘Orcus servers’.
The developer not only has a controller build for Windows, but also created an Android app for the admin controller to control the infected machines using an Android device. An Android app for the controller/administration component is also available from Google Play. || Orcus Rat Complete Tutorial
Unique Features
Below are some Orcus features that can enable full control of a victim machine:
- Keylogger
- Screengrabs
- Remote code execution
- Webcam monitor
- Disable webcam light
- Microphone recorder
- Remote administration
- Password stealers
- Denial of Service
- VM Detection
- InfoStealer
- HVNC
- Reverse Proxy
- Registry explorer/editor
- Real Time Scripting
- Advanced Plugin System
Orcus has many common features of a RAT, however the features which are unique and stand out the most is the ‘Plugin System’ and ‘Real time scripting’. The plugin feature allows users of Orcus to build their own plugins or download plugins which have been developed by the author. If a user has basic knowledge on one of the supported programming languages, which are C#, VB.Net or C++, that user can easily extend and write plugins to build on to the current capabilities of Orcus. The author also provides a developer package to create the plugins with an IDE (Integrated Development Environment), which is an application used by programmers to develop programs. || Orcus Rat Complete Tutorial
The Orcus sellers also provide very well documented tutorials to create plugins, and also maintain a Github page which has a few sample plugins created. Orcus allows seven different types of plugins to be created. Figure 5 shows the current list of plugin types that can be built.
The libraries are well documented and are currently being hosted on ‘sharpdox.de’. Sharpdox is a tool to create C# code documentations and can be hosted on ‘sharpdox.de’. Figure 6 shows an example of the methods or functions which are available to the Orcus plugin’s ‘ClientController’ class.
The Real Time scripting feature allows Orcus users to write and execute code (C#, VB.Net) in real time while remotely managing the compromised system.
Analysis: Orcus Protections
From an incident responder or threat analyst’s perspective, it is important to understand the type of anti-analysis protections a malware family employs so one is able to build an environment to successfully analyze the malware. This blog is not intended to discuss reverse-engineering the RAT in detail; however, it is interesting to see some of the anti-analysis features which Orcus employs to avoid being detected in a standard analysis environment.
We reverse-engineered one of the Orcus samples seen on a recent attack to check and verify some of the configured features. Given Orcus is developed in C# / VB.Net, we can easily peek into the code using a .NET disassembler. If an Orcus user enables the VMDetection feature while building the malware binary, the malware would check if the malware is running within a virtual machine environment. The virtual machines that Orcus detects are ParallelsDesktop, VirtualBox, VirtualPC and VMWare. The figure below shows the code excerpt for detecting the presence of virtual machines.
Orcus also checks for processes of network monitoring tools like Netmon, TCPView and Wireshark as shown in the figure below.
Impact
Figure 10 below shows the trending graph seen in Autofocus on the number of malware download sessions for Orcus. Given the feature rich toolset and the scalability Orcus provides, it is not a surprise that the usage and acceptance of the Orcus RAT is growing among cyber criminals since being first sold early this year. Given the increasing popularity of Orcus, it is likely that we will see more cyber crime campaigns where the RAT of choice is Orcus.
Conclusion
The individuals behind Orcus are selling the RAT by advertising it as a “Remote Administration Tool” under a supposedly registered business and claiming that this tool is only designed for legitimate business use. However, looking at the feature capabilities, architecture of the tool, and the publishing and selling of the tool in hacker forums, it is clear that Orcus is a malicious tool, and that its target customer is cyber criminals. It’s not uncommon but this is an interesting case where a developer with an initial intention to release the code for free or open source, ends up in collaborating with an individual in a hacker forum who has prior experience in building and selling similar malicious tools, and creates a commercial RAT which has started to gain wide acceptance among cyber criminals with its unique feature set and flexible architecture.
Palo Alto Networks WildFire correctly identifies Orcus as malicious and AutoFocus customers can track this threat using the Orcus tag.
Hi there, I think your site might be having browser compatibility issues. Whenever I take a look at your website in Safari, it looks fine however, when opening in I. E., it has some overlapping issues. I merely wanted to provide you with a quick heads up! Apart from that, wonderful site! Conni Courtney Ulrike
I blog frequently and I truly thank you for your information. This great article has really peaked my interest. I am going to take a note of your website and keep checking for new information about once a week. I subscribed to your Feed too.| Mirabella Jamey Kancler
What a pleasure to find someone who identifies the issues so clearly Juline Edouard Philis
Article is really excellent. Every time I read it,
Really thank you for this beautiful article, it was a very informative articlee.
The article is really excellent. Every time I read it, I get information again.
The best article I’ve read in a long time. thankx
What’s Taking place i am new to this, I stumbled upon this I have found It positively useful and it has aided me out loads. I hope to give a contribution & help other customers like its aided me. Great job.
Greetings! I know this is somewhat off topic but I was wondering if you knew
where I could locate a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having trouble finding
one? Thanks a lot.!
My relatives every time say that I am wasting my time here at net, however I
know I am getting know-how all the time by reading thes
good articles.
Pretty section of content. I just stumbled upon your weblog and
in accession capital to assert that I acquire actually enjoyed account your blog
posts. Anyway I’ll be subscribing to your augment and
even I achievement you access consistently quickly
How to get back your ex Boyfriend | Vashikaran Specialist
Has your boyfriend broken up with you? Have you tried your best to get her to change her mind and found that it hasn’t worked at all? | get back your ex boyfriend
Don’t panic. Right now I’m gonna teach you how to get your ex-boyfriend back and help you turn this whole situation around.
Every single person has a desire to find the best joys and happiness in all aspects of life. Our life is a journey of ups and downs that takes us through a lot of stages and each one comes with its own challenges and rewards. However, love is the most powerful and significant emotion or feeling that any person could experience. Love is a bond of eternal togetherness that offers a person countless delights and allows him or her to cherish pure joys at all times.
The feeling of having a bond with someone who cares the most for you and wishes the best for you is most valuable. Despite all the wonders of this pure emotion, love relationships tend to be challenging for many couples and there arise anomalies in the same. Under the influences of negativities and in many cases by the evil eyes of those who are jealous, lovers tend to get in troubles with one another and this hinders the peace in their relationship.
Counter the negativities in a love relationship with the best services of Love Vashikaran Specialist
Vashikaran is a powerful astrology technique that utilizes special mantras and chants to help eradicate the negative elements in a person’s life and in case of love relationship troubles, these mantras help bring couples together and successfully reignite the passionate feelings of affection.
The Online Vashikaran Specialist is an expert with vast range of know-how of the vashikaran techniques. These services have proven to be vital for allowing couples to overcome the difficulties in their bond and pave way for eternal peace and prosperity.
Here are the top benefits to cherish from the services of Vashikaran Specialist –
The vashikaran services are a wonderful abode of joy to allow lovers to be safe against all kinds of challenges in a relationship. With vashikaran specialist, you are offered the best guarantee of a lifetime of eternal togetherness with the beloved.
If the troubles in love have forced you and your beloved to separate from each other, then you can Get Ex Love Back by Vashikaran. Vashikaran services allow you to influence others and make them act, do or think as you desire and this is vital to gain benefits in life as you wish.
From thousands of years, vashikaran has been a powerful resort to engage in techniques which have helped mankind to cherish ultimate prosperity in love and marriage aspects. As love is the most important feeling in life, with Love Vashikaran Specialist you get to find all the bliss in the same.
Another challenge that a couple faces is the extra-marital affairs of a partner. Vashikaran also helps to overcome this and helps a couple to maintain peace and joy in their relationship by reinforcing their trust.
If after timeless troubles you have separated from your lover and feel bad about it, then you can rekindle the affectionate feelings and Get Ex-Boyfriend Back by Vashikaran. With the blissful guidance of vashikaran specialist, you get to find peace in life.
Another challenge that love couples face is to convince their parents and family for marriage with the partner of choice. The Online Vashikaran Specialist is an expert in helping couples to make it possible for them to get hitched with their beloved.
For experiencing a lifetime of unhindered delights and joys, the avail of vashikaran specialist services is a must and this safeguards your prospects of happiness at all times.
Gain a promise of lifetime togetherness with vashikaran services for love
Love related troubles and problems are common and many couples face the same. While it is the most blissful bond that two people can share with each other, it comes with its set of duties and responsibilities for the partners. Love is a relationship based on honesty, trust, affection, care and dedication towards the beloved.
If there arise misunderstandings in the bond, then a couple faces major problems and at certain stages these problems increase to a point where they fail to resolve the issues. However, it is with the guidance of Online Vashikaran Specialist that love partners get to face all the negativities and emerge as winners from the same. This helps them stay loyal to each other so as to share a lifetime of happiness and peace.
Embark on a lifetime of togetherness and find the best love marriage success
Every couple in love desires to take the relationship to the next level and get married. Marriage is the ultimate bond that two people can share and to help lovers get married to one another, the guidance and expertise of Vashikaran Specialist is imperative to avail. Marriage is an ultimate emotion and a journey that lovers can embark on.
In order to make love marriage possible, the lovers need to convince their parents and families. In many cases, this is not possible easily, this is where the expertise of Love Vashikaran Specialist comes into play. With the vashikaran mantras, you can influence the decisions of others and this way you are successful in gaining permission for marriage from your parents.
With Love Vashikaran Services you also gain a blissful means to make your crush or beloved fall in love with you and also accept your marriage proposal. The mantras influence the thoughts and help infuse the feelings of love in your special one by making him or her develop affectionate feelings for you.
Expert vashikaran services to guarantee 100% success and happiness in life
Vashikaran is a delightful remedy that poses as a one stop solution to help alleviate all the problems from a person’s life. If you wish to Get Ex Love Back by Vashikaran or desire to convince you crush for a relationship, then the services from vashikaran specialist astrologer are must to be availed. | get back your ex boyfriend
In order to ensure success in all life aspects and to bless your love relationships with eternal assurance of happiness, it is must that the services of Online Vashikaran Specialist be availed so that you can embark on a wonderful journey of ultimate peace, prosperity and joy.
https://www.vashikaranspecialist.com/how-to-get-back-your-ex-boyfriend-vashikaran-specialist/
The article is really excellent. Every time I read it, I get information again.
The best article I’ve read in a long time….
Hello there! This article couldn’t be written much better!
Looking through this article reminds me of my previous roommate!
He always kept preaching about this. I’ll forward this post to him.
Pretty sure he will have a very good read. Thank you for sharing!
Spot on with this write-up, I actually feel this
website needs a great deal more attention. I’ll probably be returning to see
more, thanks for the information!
Greetings! I know this is somewhat off topic but I was wondering if you knew
where I could locate a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having trouble finding
one? Thanks a lot!
My relatives every time say that I am wasting my time here at net, however I
know I am getting know-how all the time by reading thes
good articles.
Muchos Gracias for your blog article.Really looking forward to read more. Really Great.