Orcus is a Remote Access Trojan (RAT). These types of programs are used to remotely access or control computers. Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan. however, in many cases, cybercriminals use them for malicious purposes.

Orcus includes some illegal features such as the ability to disable the webcam activity light, retrieve passwords from well-known applications, and retrieve browser cookies. It is also capable of using the microphone to record sound (any input), performing keylogging (logging keystrokes), and so on.

Research shows that some cybercriminals use spam campaigns (emails) to trick people into installing this particular tool. They send emails that are presented as messages from “Lathe and CNC Machines” as invoices. These emails include attachments that, once opened, download and install Orcus. Spam campaigns are one of the most common ways to proliferate computer infections, or legitimate tools such as RATs, which can then be used in malicious ways. Researchers from Cisco Talos have discovered these the threat actor group behind the attacks is using a fileless attack technique to gain persistence on targeted systems and evade detection.

How does Work Orcus RAT

In the beginning, the attackers made use of the SendGrid email delivery service to redirect victims to an attacker-controlled malware distribution server. However, in the later attacks, the adversary modified the infection process by adding ZIP archive attachments to emails. Although the emails featured the same themes, they no longer leveraged the SendGrid URLs.

The attached ZIP archives contain malicious batch files responsible for retrieving the malicious PE32 file and executing it, thus infecting the systems.

“One interesting thing to note about the batch files was the use of an obfuscation technique that is not commonly seen. In early campaigns, the attacker prepended the bytes “FF FE 26 63 6C 73 0D 0A” into the file, causing various file parsers to interpret the file contents as UTF-16 LE, resulting in the parsers failing to properly display the contents of the batch file,” said the researchers.

How does Remove Orcus RAT

Using Task manager, and identified a program that looks suspicious, you should continue with these steps:

Step 1: Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations.

Step 2: Restart your computer into Safe Mode.

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click “Restart” while holding “Shift” button on your keyboard. In the “choose an option” window click on the “Troubleshoot”, next select “Advanced options”. In the advanced options, menu selects “Startup Settings” and click on the “Restart” button. In the following window, you should click the “F5” button on your keyboard. This will restart your operating system in safe mode with networking.

Step 3: Extract the downloaded archive and run the Autoruns.exe file.

Step 4: In the Autoruns application, click “Options” at the top and uncheck the “Hide Empty Locations” and “Hide Windows Entries” options. After this procedure, click the “Refresh” icon.

Step 5: Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Step 6: Reboot your computer in normal mode.