Orcus RAT: A sneak peek into the Remote Access Trojan’s malicious campaigns

• Orcus RAT is primarily distributed via spear-phishing emails and drive-by-downloads.
• Its capabilities include keylogging, stealing system information and credentials, taking screenshots, recording audio/video, real-time scripting, and more.

Orcus RAT is a Remote Access Trojan that is active since 2016. Orcus was developed by a malware author who goes under the name ‘Sorzus’. This RAT has been sold for $40 since April 2016, with the ability to build custom plugins. Orcus RAT is primarily distributed via spear-phishing emails and drive-by-downloads.

Capabilities of Orcus RAT

The Remote Access Trojan’s capabilities include:

• Keylogging and remote administration
• Stealing system information and credentials
• Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light
• Executing remote code execution and Denial-of-Service
• Exploring/editing registry
• Detecting VMs
• Reverse Proxying
• Real Time Scripting
• Advanced Plugin System

Orcus RAT distributed via decoy Word document

Researchers spotted a malspam campaign distributing Orcus RAT via malicious Microsoft Word documents.

• The phishing emails included a malicious MS Word document.
• Upon opening the document, an automatic download of a malicious RTF file is triggered.
• This RTF file deploys a remote code execution (RCE) exploit (CVE-2017-8759), which drops the Orcus RAT on the victims’ systems.

Orcus RAT targets Bitcoin investors

A phishing campaign disguised as email marketing for new Bitcoin trading bot dubbed ‘Gunbot’ distributed Orcus RAT.

• Phishing emails sent to the Bitcoin investors in the guise of email marketing for ‘Gunbot’ included a ZIP attachment.
• The ZIP attachment contained a Visual Basic script disguised as a JPEG image file.
• The malicious VB script downloads a binary that delivers and executes Orcus RAT.

Tax-themed phishing campaign

In January 2018, researchers spotted various tax-related phishing campaigns targeting the US taxpayers with a range of RATs including Orcus RAT, Netwire, and Remcos RAT.

Ramadan-themed Coca-Cola video distributes Orcus RAT

In February 2019, researchers observed a malware campaign that distributed Orcus RAT inside a Ramadan-themed Coca-Cola video. Upon clicking the video, a series of downloads and processes were triggered, which includes:

• Searching for and hijacking a process using a User Access Control (UAC) bypass technique
• Downloading and executing the RAT that comes attached to the video
• Harvesting data and sending it back to the attackers’ C&C servers

Revenge RAT and Orcus RAT

In a recent malspam campaign, researchers spotted a threat actor distributing two popular remote access trojans to launch attacks against different organizations across various sectors. The targeted sectors include financial services, information technology, consultancies, and government entities.

The malspam emails purported to come from various authorities such as the Better Business Bureau (BBB), Australian Competition & Consumer Commission (ACCC), Ministry of Business Innovation & Employee (MBIE) and other regional agencies.

The emails included ZIP archives that contained malicious batch files responsible for retrieving the malicious PE32 file and dropping Orcus RAT and Revenge RAT onto victims’ systems.