Orcus RAT

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Type
RAT
Origin
Canada
First seen
1 April, 2016
Last seen
25 January, 2023
Also known as
Schnorchel
Global rank
19
Week rank
17
Month rank
17
IOCs
6323

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan, which enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure, and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing it to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as legal software for remote administration, similar to Teamviewer. Interestingly, the authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio, and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable. However, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins, and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Furthermore, Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was developed by a 36-year-old John Revesz, also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration, and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. Therefore, a joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components, with the control panel being a separate component. In addition, the server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Orcus RAT execution process

The execution process of the Orcus RAT is straightforward. This malware often disguises itself as a cheat code or crack, so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure, available in Windows. To compile the C# source code, our sample started Visual C# compiler, which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system, as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution, Orcus does require user input. However, in most cases, it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw." This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier, type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this, along with excellent support and documentation, ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns, and the popularity of this malware is still on the rise. As a result, we can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware or other RATS such as Quasar RAT or njRAT. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point, which ensures pure research results. In addition, useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime worldwide.

IOCs

IP addresses
212.220.202.104
92.55.19.153
194.34.132.153
104.244.74.228
3.134.196.116
198.54.133.70
109.171.5.62
193.242.166.42
91.109.190.2
45.132.1.232
31.44.184.164
122.186.23.243
51.83.172.114
185.239.242.241
45.134.212.91
5.253.206.213
176.210.6.212
52.58.191.87
37.252.7.150
20.239.89.161
Hashes
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
8b67f12c3109ecf6ad4d3d288613d2c62d2bdfbb93169c3f534e776bfbccd92d
bd62f831d3997e39060faa74fd81bdac62d821ae7fb39cf88b07d07e6f14c9ab
9385d7e149bcda79e5a4291ad422c160be8297d029d04ee04c50240fe53aa900
4b7cb522007e67783f2de54e19850fe2d19912455fae314e2abaa40fb3517b4f
b5f85f25da908a090da65648676a625b641e2d88186b22dbb0072cd1d369721a
77e63c3e660877c0d1039109a573dfab06a7c89861dddf97b13541bb13b9ca41
0bfd563c633e2b97fc83a612799bb33cdc0cc1ea858675211856b9ce111e6e66
b36b7797bd3c2dcc1ac519c907b5556d1b66cce76235fa5cf2fa76393aa04af8
fbd831609db275b9b8e2912903d791e4db5403056726440bcb2c0ad39166eff6
a0162dbbb5b8d0f89ef33347922d559a593597d5cb6e75b92b6e74d632564009
2066945fb140772ab015c3bfa0246cfd5276260611874a22932e913b0031cb3e
f49ddd90dc76f0c46969f6d9564e68956f7d7a7d57c0dc703e784e4561a37562
6c17dd879e4b71ddbf8ffeb72903809994302437d5ef0ea0c34852a2a3205a8f
f2a2cd94b84b6205ab3d561d2b11888b688d29ac6a20821c6ec79088550e222d
ad848e819f2818c69a94a251e43c824f6b05553b57bce5f0b66315eec8ec6ec7
f4e0d7cfe1bc3498e5869067e908de21c3d050c78de8074b863eafedcf8b0901
ac264242d885be9bfdddbec83cb500fc970a390c5039f5791296fdfcbe1861a6
7896dd835a47a0fdf4fff954e518bfd1964dbb6ce7550db1ae3bfc744302d9bc
1149c2572edf3a92d7fbaa4773155a4686d527d52562617b0417bd58eae7dc70
Domains
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
searchkn1.sima-land.ru
2.tcp.eu.ngrok.io
c16d-35-240-187-111.ngrok.io
isns.net
majul.com
4.tcp.eu.ngrok.io
WindowsAuthentication324-49629.portmap.host
thuocnam.tk
7.tcp.eu.ngrok.io
krupskaya.com
m-onetrading-jp.com
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
elx01.knas.systems
6.tcp.eu.ngrok.io
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
microsoftfixer.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy