BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
18
Global rank
14 infographic chevron month
Month rank
52 infographic chevron week
Week rank
386
IOCs

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

RAT
Type
Canada
Origin
1 April, 2016
First seen
15 April, 2024
Last seen
Also known as
Schnorchel

How to analyze Orcus RAT with ANY.RUN

RAT
Type
Canada
Origin
1 April, 2016
First seen
15 April, 2024
Last seen

IOCs

IP addresses
193.161.193.99
31.44.184.52
45.81.39.83
94.156.10.119
147.185.221.17
1.1.1.1
89.149.39.9
84.247.114.115
37.243.169.65
172.94.54.88
104.250.175.179
44.203.122.41
147.185.221.16
15.235.3.1
128.59.46.185
91.143.49.85
109.61.224.28
109.61.209.119
209.25.141.180
46.35.26.183
Hashes
79a28f39337be4d6be9435c87d30aa4c1b012d6ee8b4af8bd377ced9c1ceb445
dc57d3bdad4b0f6b136a412525cacd5b07fa4e5a45f962fe64611ca321307855
3bf38e34ffaa2f899271617e49c147e5a27842d57b72469cc781fa1fd425227f
6074998a4a6d0e9fd8aaf5baaa9f144536e2152dfcfe0f60a7d7a2bfdccae7d6
2a009a3d4a00bac5a6dd98172322f8bd406918986049b462c39831d47de03336
79a1c172367081546f2e207dc540856d42db90cd634524266ff97d4a7f3f9426
c1bc0703ca504da7dde5ed44eb37b321a7028dd98d770b02c0a93fefe5958ae2
3923efd1237744aee8474971c6a87d474dc99ab0f09188c451a8aeb23907f76b
e99d59a12dc1d7f76028406efa498c8fa61bf84e9af2d73c622cad2ea6ab3493
b0b3f0abc24923e7dcce744d3259a7dfca653ab5823168277b52b9f85e79f44f
1d02f44b711d20158a977b25d5b444989395accd6434c1cb9d525b9ce948b86e
57ea66a57f97ecee958cca1c7379025750c23ba98ea6dcfaae17fc5f64c9d1c5
9eaace45f4ee1d17aa9c9931e3db10a738c02a405db3811c52426cf10a28280c
10e4076a07c8c5d035d89de0ec3b126ef9c0eb2102135c78ad112d3b77e5cc59
fce825ab881253395f6b8082d7861ecec85393b91e8070d88642733fd809c64c
0fd80d91faaf4a05167f34418ea29c50b4dfe821fe4d4b4c924253a44861ac06
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b
911e3e95efddbae9d1c2f4b04027567c76823116755097b5868b7241c7e30cbc
a7ae98d4b28d1d5648415eb030186297ee9338cba7573912933ff132e84e1afa
871a63d69d41b25f07c7e5029152ebf81ebea054420086f14adb9a3c45bb262c
Domains
0.tcp.eu.ngrok.io
64770.client.sudorat.top
64770.client.sudorat.ru
s7vety-47274.portmap.host
s7vety-27063.portmap.host
6.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
32154.client.sudorat.top
32154.client.sudorat.ru
conflicker-35081.portmap.host
schoolserver-36828.portmap.host
conflicker1-54843.portmap.io
16.ip.gl.ply.gg
4.tcp.ngrok.io
period-disabilities.gl.at.ply.gg
229.ip.ply.gg
13642.client.sudorat.ru
13642.client.sudorat.top
Last Seen at

Recent blog posts

post image
New PowerShell Script Tracer: Analyze PowerSh...
watchers 456
comments 0
post image
Dmitry Marinov: ANY.RUN’s CTO on TI Lookup, S...
watchers 277
comments 0
post image
Malware Trends Report: Q1, 2024
watchers 1835
comments 0

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan, which enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure, and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing it to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as legal software for remote administration, similar to Teamviewer. Interestingly, the authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio, and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable. However, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins, and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Furthermore, Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was developed by a 36-year-old John Revesz, also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration, and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. Therefore, a joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components, with the control panel being a separate component. In addition, the server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

Read a detailed analysis of OrcusRAT in our blog.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Orcus RAT execution process

The execution process of the Orcus RAT is straightforward. This malware often disguises itself as a cheat code or crack, so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure, available in Windows. To compile the C# source code, our sample started Visual C# compiler, which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system, as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution, Orcus does require user input. However, in most cases, it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw." This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier, type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this, along with excellent support and documentation, ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns, and the popularity of this malware is still on the rise. As a result, we can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware or other RATS such as Quasar RAT or njRAT. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point, which ensures pure research results. In addition, useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime worldwide.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy