A new malware campaign that is used to distribute the Orcus Remote Access Trojan (RAT) has been discovered recently. A threat actor group named PUSIKURAC is found to be behind this campaign and is initiated by injecting the malware in a Ramadan-themed Coca-Cola video.
According to a cybersecurity vendor Morphisec, the attackers hide the Orcus RAT inside a Coca-Cola video. Once the user clicks on the video, a series of downloads and processes are initiated. This includes:
Researchers noted that Orcus RAT has been using the UAC bypass mechanism over the past two years to avoid detection by security software.
“This threat actor specifically focuses on information stealing and .NET evasion. Based on unique strings in the malware, we have dubbed the actor PUSIKURAC. Before executing the attacks, PUSIKURAC registers domains through FreeDns services. It also utilizes legitimate free text storage services like paste, signs its executables, heavily missuses commercial .NET packers and embeds payloads within video files and images,” the Morphisec researchers said in a blog post.
A successful attack can enable the Orcus trojan to do perform several nefarious activities. This includes stealing browser cookies and passwords, launching server stress tests for DDoS attacks, disabling the webcam activity, recording microphone input, spoofing file extensions, and logging keystrokes.