BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
18
Global rank
55 infographic chevron month
Month rank
45 infographic chevron week
Week rank
389
IOCs

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

RAT
Type
Canada
Origin
1 April, 2016
First seen
18 June, 2024
Last seen
Also known as
Schnorchel

How to analyze Orcus RAT with ANY.RUN

RAT
Type
Canada
Origin
1 April, 2016
First seen
18 June, 2024
Last seen

IOCs

IP addresses
193.161.193.99
78.101.85.87
147.185.221.17
147.78.103.228
31.44.184.52
45.81.39.83
94.156.10.119
1.1.1.1
89.149.39.9
84.247.114.115
37.243.169.65
172.94.54.88
104.250.175.179
44.203.122.41
147.185.221.16
15.235.3.1
128.59.46.185
91.143.49.85
109.61.224.28
109.61.209.119
Hashes
ac3156c2a296e3f4893c81ed182ae1186da5339402596a0c55f9663121290350
259aa4a7aa808d9c50f006afedc351a5a67d0ecd1bcbccd456848c7aeee10e77
2650cbc6895fb9037a3ad776cc92b980fcde3dbdcbd7abaf02139c159b30599b
776bbb5f7d88e12b3925b9a2fbf5e3760d1b182ae9e19688931f5018ab3091d2
0ae3a713200dc0aeb1d6ee0bb08c55b277155caaefbd799c676fa304f0209553
056a6c749709f142f56666c06f6c358a57ed2ab3197e9b72d6207cadf9d0e72d
2892bffd626838003f33ea2b24be6c4ed0746d72b04bd40fba101fd12ba3006c
fb72b238bed915725b98a8179f81d2fad89cfbb49b018bd58ffe46080558759a
decaffe5023630f9e86e0b4d7f37df3546bb82af0319cc7a811f797e2b187838
9b333d12c220e873a34f4578da285129c12bdefbe244bf1a6dfec21363b0596c
a9e48e461ba8956bb024c6341b90a86bc6df93e015c184dea6828a171c5db7c0
28a41651f10d33e3856c591b151a6f33ac9238233f38b41e1f469d483b5ab213
2d0c70c08c7462e7434f59426971bf3ab8fa2addcb29fb27587bab44930ed391
c3c71eb606004c568d9cb1ca24c2d82f8a89a9bed83bd2f7a4bdb9c439f8a251
30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db
84e95c76d02cef191760810d0a09f28307474ae090dede119a0daf631e4867ff
4e5f4fbc1f843ffe8faa1a2b65988d4183fdd262ee7028550198dcb043d7da35
f3a5124c063c5071cc8ba694024fe59c155ac171598703b0a1b1f2a57c277446
0445e1ef0da0034a58ab40fc43fabee4e48f963aa6a391173990ad88cb2fd14b
10d404f23db26a23371bd6ac2330cfa959c5cb49968dd2d7cc14313d922541fa
Domains
0.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
6.tcp.eu.ngrok.io
any-or.gl.at.ply.gg
5.tcp.eu.ngrok.io
16.ip.gl.ply.gg
s7vety-47274.portmap.host
dfwfdsfsdasd.project-nightfall.com
conflicker-35081.portmap.host
64770.client.sudorat.ru
64770.client.sudorat.top
s7vety-27063.portmap.host
32154.client.sudorat.ru
32154.client.sudorat.top
schoolserver-36828.portmap.host
conflicker1-54843.portmap.io
4.tcp.ngrok.io
period-disabilities.gl.at.ply.gg
229.ip.ply.gg
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is Orcus RAT?

Orcus, previously known as Schnorchel, is a Remote Access Trojan, which enables remote control of infected systems. Although Orcus RAT malware is mostly a typical member of the RAT family, it has some competitive advantages over similar malware and unique features.

In addition, Orcus RAT has a modular structure, and it gives users the ability to create custom plugins for the malware. The modularity of this trojan gives it higher than standard scalability and management, allowing it to tailor the malware to the needs of various campaigns.

The first time we heard about this malware was from a forum post by one of its authors. The post announced the development of a new RAT that was named Schnorchel at the time. Soon after the announcement, the malware became commercially available under the name “Orcus RAT” and was presented to the public as legal software for remote administration, similar to Teamviewer. Interestingly, the authors claimed that the abbreviation RAT stood for Remote Administration Tool and not Remote Access Trojan.

General description of Orcus RAT

Apart from a few exceptions, Orcus RAT malware has a relatively standard but robust feature set for a technologically advanced Remote Access Trojan. The malware can grab screenshots and record user input, activate the webcam, steal passwords, record audio, and steal information. In addition, Orcus comes with the ability to detect if it’s being launched on a virtual machine to complicate the analysis by security researchers.

The functions described above already make this malware quite capable. However, it offers a few unusual functions that enhance its functionality. Namely, the RAT in question supports plugins, and besides offering the ability to build them, it has a whole library of already created plugins that attackers can choose from. Furthermore, Orcus RAT plugins can be written in multiple languages, including C#, C++, and VB.Net.

To make the development of extensions more streamlined, malware creators rolled out a dedicated development environment. What’s more, those who lack the skills to build plugins from scratch on their own can follow detailed tutorials and benefit from well-maintained documentation libraries.

Additionally, Orcus had a Github page where authors have published samples of created plugins.

Another relatively unique feature that the malware authors packed into this virus is real-time scripting. Real-time scripting allows Orcus to write and run code on machines that it infected.

Speaking of Orcus RAT malware authors, we know that the virus was developed by a 36-year-old John Revesz, also known as “Armada" on the underground forums. In 2019, Canadian authorities accused Revesz of operating an international malware distribution scheme.

In his defense, Revesz claimed that the RAT is, in fact, a legitimate program for remote administration, and his company “Orcus Technologies” is a legal business. However, an examination of the functionality clearly revealed that the software is intended for malicious use cases, which resulted in the arrest of Revesz.

It is believed that Revesz wasn’t working alone. Therefore, a joint development effort theory makes sense, especially considering the technological complexity of certain aspects of this malware. For example, Orcus RAT consists of multiple components, with the control panel being a separate component. In addition, the server that the malware establishes a connection with after infection does not hold an admin panel. This architecture provides several advantages to the attackers, for example, the ability to share access to infected PCs from the same server. Additionally, it allows for greater scalability or infected networks.

Orcus RAT malware analysis

A video recorded in the ANY.RUN interactive malware hunting service displays the execution process of Orcus RAT in real-time.

Read a detailed analysis of OrcusRAT in our blog.

process_graph_of_orcus_rat_execution

Figure 1: Displays the execution process of the Orcus RAT. This visualization was generated by ANY.RUN.

text_report_of_orcus_rat_execution

Figure 2: Displays a text report generated by ANY.RUN. Text reports are useful for demonstration and can be customized by a user to show necessary data.

Orcus RAT execution process

The execution process of the Orcus RAT is straightforward. This malware often disguises itself as a cheat code or crack, so it is mostly delivered to a system as an archive file with the compressed executable file inside. Since this trojan was written in C#, it often uses .NET infrastructure, available in Windows. To compile the C# source code, our sample started Visual C# compiler, which, in turn, started the Resource File To COFF Object Conversion Utility. After it was compiled, the executable file began its execution and malicious activity. Note that Orcus remote access tool does not always make its way into an infected system, as described above. In some cases, it comes as a precompiled executable file which only needs a user to double click on it to start the execution.

Orcus RAT malware distribution

Orcus RAT commonly makes its way into target machines as a downloadable attachment in malicious spam emails. Campaigns are often highly targeted and aim at organizations rather than at individuals.

Attackers use phishing and social engineering to trick victims into downloading an attachment or visiting a link that points to a server that holds the payload. In order to begin execution, Orcus does require user input. However, in most cases, it is unable to infect the system without user interaction.

How to detect Orcus RAT?

This malware creates files that allow analysts to detect it with a high degree of certainty. To identify the Orcus RAT, open the "Advanced details of process" by clicking on the "More info" button and switch events display to "Raw." This trojan often creates files with "Orcus" in the names, so all we need is to find such a file. To make it easier, type the word "Orcus" in the filename field. If such a file is found, you can be sure that Orcus RAT is in front of you.

files_created_by_orcus_rat

Figure 3: Files created by Orcus RAT

Conclusion

Orcus RAT malware is a sophisticated trojan that offers some unusual functions on top of solid basic info-stealing capabilities. Technical complexity was complemented by an affordable price of just 40 USD. Today, interested users can download a leaked version of Orcus for free. Unfortunately, this, along with excellent support and documentation, ensured the popularity of Orcus RAT.

Since its deployment in 2016, researchers have been observing Orcus RAT campaigns, and the popularity of this malware is still on the rise. As a result, we can expect several new attacks utilizing malicious software in the future.

Researchers can analyze Orcus RAT using the ANY.RUN malware hunting service to study this malware or other RATS such as Quasar RAT or njRAT. ANY.RUN is an interactive sandbox that allows researchers to stop and correct the simulation at any point, which ensures pure research results. In addition, useful information that can be obtained from the analysis can be added to our growing database of cyber threats to help combat internet crime worldwide.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy