RevengeRAT and Orcus RAT return in new cyber espionage campaign targeting multiple organizations

• Most of the attacks have been carried out through phishing emails.
• These emails include complaints against the organization being targeted.

A threat actor has been found leveraging two popular remote access trojans to launch attacks against different organizations. The malware are RevengeRAT and Orcus RAT and are being used to target government entities, financial services, information technology service providers and consultancies.

What’s the matter?

Researchers from Cisco Talos have discovered that the threat actor group behind the attacks is using a fileless attack technique to gain persistence on targeted systems and evade detection.

How does the campaign operate?

Researchers note that there are several variations of the infection process associated with the distribution of malware. However, most of them have been carried out through phishing emails. These emails appear to come from various authorities such as the Better Business Bureau (BBB), Australian Competition & Consumer Commission (ACCC), Ministry of Business Innovation & Employee (MBIE) and other regional agencies. These emails include complaints against the organization being targeted.

In the beginning, the attackers made use of the SendGrid email delivery service to redirect victims to an attacker-controlled malware distribution server. However, in the later attacks, the adversary modified the infection process by adding ZIP archive attachments to emails. Although the emails featured the same themes, they no longer leveraged the SendGrid URLs.

The attached ZIP archives contain malicious batch files responsible for retrieving the malicious PE32 file and executing it, thus infecting the systems.

“One interesting thing to note about the batch files was the use of an obfuscation technique that is not commonly seen. In early campaigns, the attacker prepended the bytes "FF FE 26 63 6C 73 0D 0A" into the file, causing various file parsers to interpret the file contents as UTF-16 LE, resulting in the parsers failing to properly display the contents of the batch file,” said the researchers.

Worth noting

According to researchers, the C2 infrastructure used for these attacks leverages the Dynamic Domain Name System (DDNS) in an attempt to hide attackers’ infrastructure. The attackers had pointed the DDNS over to the Portmap service, thus providing an additional layer of infrastructure obfuscation.

“Portmap is a service designed to facilitate external connectivity to systems that are behind firewalls or otherwise not directly exposed to the internet. These systems initiate an OpenVPN connection to the Portmap service, which is responsible for handling requests to those systems via port mapping,” researchers explained.

Conclusion

Researchers expect that the ongoing malware attack campaign is likely to increase in the future, impacting various organizations around the world.

Organizations should leverage comprehensive defense-in-depth security controls to protect their infrastructures from these malware families.