Orcus is a Remote Access Trojan (RAT). Programs of this type are used to remotely access or control computers. Generally, these tools can be used by anyone legitimately, however, in many cases, cyber criminals use them for malicious purposes. They often trick people into installing these programs and then use them to steal various information to generate revenue.A new, highly sophisticated campaign that delivers the Orcus Remote Access Trojan is hitting victims in ongoing, targeted attacks. Morphisec identified the campaign after receiving notifications from its advanced prevention solution at several deployment sites. The attack uses multiple advanced evasive techniques to bypass security tools. In a successful attack, the Orcus RAT can steal browser cookies and passwords, launch server stress tests (DDoS attacks), disable the webcam activity light, record microphone input, spoof file extensions, log keystrokes and more.

Capabilities of Orcus RAT

The Remote Access Trojan’s capabilities include:

1.Keylogging and remote administration
2.Stealing system information and credentials
3.Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light
4.Executing remote code execution and Denial-of-Service
5.Exploring/editing registry
6.Detecting VMs
7.Reverse Proxying
8.Real Time Scripting
9.Advanced Plugin System

In a recent set of campaigns that have targeted a variety of high-profile organizations, one adversary group was using modified versions of both Orcus and RevengeRAT to steal information. The campaigns rely on targeted phishing emails that pretend to come from organizations such as the Better Business Bureau and inform the recipient about an alleged complaint against the company or agency. The messages contain either a malicious ZIP attachment or a link to an attacker-controlled server where the malware is hosted.

“A PE32 executable is inside of the ZIP archive. It needs to be executed by the victim to infect the system with Orcus RAT. The PE32 filename features the use of double extensions (478768766.pdf.exe) which, by default on the Windows operating system, will only display the first extension (.PDF.) The PE32 icon has been set to make the file appear as if it is associated with Adobe Acrobat,” Edmund Brumaghin and Holger Unterbrink of Cisco’s Talos Intelligence Group wrote in an analysis of the campaigne.The emails included ZIP archives that contained malicious batch files responsible for retrieving the malicious PE32 file and dropping Orcus RAT and Revenge RAT onto victims’ systems.

For more cyber security Information contact us at help@theweborion.com.