Orcus RAT

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers very robust core featureset, that make it one of the most dangerous malicious programs in its class.

Type
RAT
Origin
Canada
First seen
1 April, 2016
Last seen
20 February, 2020
Also known as
Schnorchel
Global rank
24
Week rank
23
Month rank
22
IOCs
211

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan — a malware that enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as a legal software for remote administration, similar to Teamviewer. Interestingly, authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable, however, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was being developed by a 36-year-old John Revesz also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. A joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components with the control panel being a separate component. The server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Orcus RAT execution process

The execution process of the Orcus RAT is simple and straightforward. This malware often disguises itself as some kind of cheat code or crack so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure which is available in Windows. To compile the C# source code our sample started Visual C# compiler which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution Orcus does require user input, in most cases it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw". This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier just type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this along with excellent support and documentation ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns and the popularity of this malware is still on the rise. We can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point which ensures pure research results. Useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime all around the world.

IOCs

IP addresses
193.161.193.99
18.223.41.243
37.79.216.40
185.251.39.102
107.191.42.175
162.200.139.146
185.198.26.245
18.221.17.220
5.79.171.76
95.216.217.175
92.222.72.160
96.30.193.234
176.227.191.12
199.195.250.222
184.105.126.96
84.108.213.8
95.179.228.100
80.42.168.122
185.165.153.85
65.49.81.174
Hashes
c7f33df85644ffe0d9db5c0673a8e0fb31c046c5a39a516df782a2284f0ffec9
027a20061dd60d5eb7f0092a4bea9d143bba55f58889fce62eb0935bb148e2fb
92ad4580a2b0f6027c29280ccf99a571e78da7c3437248bd3e09d12d42181e04
9da213114d94f5c7eaea9a10225c7c1e392008e7fc7a192f13f695e4139118cf
ee62f260838b4d7341b335f793aa7a7e703c8ca7b0e7a2ceae417589098511d0
39f949cb3517a80e4c4e86ed8ed23e251be0f4f59ab91c58125b11563a516c33
de887924d03483376e88cf0a232b74aad8cef40ff5342a5e2feec12e38740a82
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
9691dc03694cd54ab43c22993b7c2d64de33904558f0c5eabb39c818519e023b
83a9281e063bd0f53a90717ac15c5588848e96286ee5dbdae7d45d2f9786be9a
e814e17cc92ca6b737f5fa3fbbbe2b63563c65b8757e6989dd2698c89a8461b0
14af6c75341031cdb613d4177a4862821068985a822a8819bf248caecc6722fb
33311acf618c561963717f1c0302d22a1304d0a9560b51fddc9d077821ff46f1
4b4397666e2f4574dfda9d06725d6580620ba1c3350462b03b9e39e66aed6bf3
5be04ac4fe549cb4bde2f93a01a54ef8aa18df6fbf612fcb33d6794f53d1eb34
515a61cd82cb3607f8f62d4c5e321de64309a0e350d2f0810ff3c70e9a076f04
4326473299f487bc65a90ecee3ea088825288d645bb84daede757940172c1309
3dfe28fe508add6b972647c0b5766eca5d74437e85441ddcb6be03835a9fa265
106edbc4d087c96db19257810e705af524cd4a731e1c8a5dae7e6dfa852248d2
2654fe45f97e8e1d13d42ffd794e0d66f9a5a7733e9f15cb6085d47daca77480
Domains
majul.com
bnow.duckdns.org
takethei.duckdns.org
scca.duckdns.org
check.portmap.io
spenzmarine-56499.portmap.io
fobeno-42652.portmap.io
lololol-54262.portmap.io
Theprohd-59801.portmap.io
aras008-48301.portmap.io
utku01-35105.portmap.io
magicme-54389.portmap.io
gmxvpn-51019.portmap.io
SayNigger123-51458.portmap.host
tkmremi-31995.portmap.io
james871-47359.portmap.host
anonymoushosting-60450.portmap.io
baroud-44589.portmap.io
MORFEY888-55156.portmap.host
jamesbond007634-36688.portmap.host

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More