Orcus RAT

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers very robust core featureset, that make it one of the most dangerous malicious programs in its class.

Type
RAT
Origin
Canada
First seen
1 April, 2016
Last seen
30 March, 2020
Also known as
Schnorchel
Global rank
23
Week rank
10
Month rank
16
IOCs
242

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan — a malware that enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as a legal software for remote administration, similar to Teamviewer. Interestingly, authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable, however, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was being developed by a 36-year-old John Revesz also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. A joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components with the control panel being a separate component. The server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Orcus RAT execution process

The execution process of the Orcus RAT is simple and straightforward. This malware often disguises itself as some kind of cheat code or crack so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure which is available in Windows. To compile the C# source code our sample started Visual C# compiler which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution Orcus does require user input, in most cases it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw". This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier just type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this along with excellent support and documentation ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns and the popularity of this malware is still on the rise. We can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point which ensures pure research results. Useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime all around the world.

IOCs

IP addresses
193.161.193.99
91.218.65.24
173.66.97.184
91.218.65.8
45.138.110.54
18.223.41.243
45.76.22.91
95.144.8.147
35.192.205.70
209.182.219.49
37.79.216.40
185.251.39.102
107.191.42.175
162.200.139.146
185.198.26.245
18.221.17.220
5.79.171.76
95.216.217.175
92.222.72.160
96.30.193.234
Hashes
2af0686494628c948185af19d532e4bd988e2ea8b3aa0019f7d30329f43f143b
4a0c6a4d0676a3ad64dd03e5019d1f77692792dd4df92498e74af01aa2d58791
fa9cc339049e8027f757ecb382a209a06844a88b776813492ada22d0991e4098
dab73985440eda01ffdeb280ed5181e6f01e8e60fe733b91fd1f647263c79afd
9f59dc3f90e07e6de26d4d6e24b254848edbea711a7bf104c5a4a06476e02d9d
b14e28ef952348a28acab34b9657fdf5ed0c670e6f21981d2eb5a10ab8d2d963
c25c99dda5d8299c4e956c066a2f8ee30f742e4effa32ab55e07f486988e0ac1
5bcdd6fff3db07f4b227dc12fc38a8f92f142a701469833890470fb1ee6f2845
f80523895dc610c65287d5192356fab7108a0a8bf78a33728289d0caac02975f
7ffa8a4939cf92caf8983afa85749d4fcb5eaa78769fe4f5dc7794a263ee5ed3
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
5df2b43ac1ee6d8dbcb39ac6cca9a1306369b4db509b2b7a912d3fa44b32021f
12db0ee36f5f7acf2509a3028bbca4de1b7957ae34eac52cd51645f55250b03a
feb27479e14f5ac5e020098b4fce90876bb64a68563058d81e808f80874cf1e1
fd19ea1f1a732ad23c4020ac775bf30041cae72642b9bc8269a89b3c54a72054
14541f2d902879480eaf0d2da76330d541edd48b4ab6d115728b6ac93898994c
a2aa0497f0e7e3d5b6e21e1b1f052fe1047791bf8e314ba239ed16b4da694e50
50a6cf483e717cfb34ec0f2d15258e5645c8c060345df0cdce9058a7dab2eb5a
f0cf7ac226043b1a93a4fa920121d72e3488c1852e4811aa0ecb36287145ea21
3c3c4035e64958d61edaf8aef5be5ee9838df68149b8f8609fac7f2dfe85d00a
Domains
majul.com
scca.duckdns.org
takethei.duckdns.org
bnow.duckdns.org
admin4-49016.portmap.host
JamieJefferson222-24045.portmap.host
sekmjbh-44659.portmap.io
ionusos.gleeze.com
carolynne-24047.portmap.host
ionusos-25533.portmap.host
gloober-35411.portmap.host
server12511.sytes.net
UbiquitousLV-34772.portmap.host
DARKBOTNET1337-53975.portmap.io
fertun-31739.portmap.host
Super21-22019.portmap.host
Leep-25813.portmap.host
RatsAreCute-52351.portmap.io
sweeper-63754.portmap.host
nobert-51061.portmap.host

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More