Cybersecurity vendor Morphisec has released the details of a malware campaign distributing the Orcus Remote Access Trojan (RAT). The RAT is hidden inside a Coca-Cola video and when the user watches the video, the RAT installs itself on their computer. This is not the first malware campaign, by a threat actor Morphisec calls PUSIKURAC, that uses the Orcus RAT.
According to the authors of the blog: “The attack uses multiple advanced evasive techniques to bypass security tools. In a successful attack, the Orcus RAT can steal browser cookies and passwords, launch server stress tests (DDoS attacks), disable the webcam activity light, record microphone input, spoof file extensions, log keystrokes and more.”
How does it work?
It’s relatively simple. The user clicks on a link that they believe is a video file containing a Ramadan-themed-Coca-Cola commercial. This starts a series of downloads and process that:
- Uses a User Access Control (UAC) bypass technique to search for and hijack a process with the highest privileges on the machine
- Uses that process to download the infected video
- This allows the malware attached to the video to then execute with the same privileges and install on the machine
- Gather data and send it back to the command and control (C&C) servers
The Morphisec researchers point out that the UAC bypass mechanism used here is not new. It is a vulnerability that malware has been using for over two years. The malware uses the ConfuserEx obfuscation framework. This enables it to avoid detection by security software.
Interestingly, in the analysis, the Morphisec team point out that the software uses anti-VM techniques. This is almost certainly to limit detection by security teams.
Malware or Legitimate software gone wrong?
Orcus RAT has been around for several years. It was openly sold as an administrator tool until recently. What this shows is the problem of determining whether a product is for good or bad. There are a lot of commercial remote access products out there. Some are used by organisations to get to machines and others are used by security researchers.
In the case of Orcus RAT, the original developer claimed this was a commercial product that had attracted interest from the military. However, he also engaged with hacking groups on how to use the product. Orcus RAT has been used in a number of different attacks over the past few years.
In 2016 Brian Krebs used information from the MalwareHunterTeam (@malwrhunterteam) that took a close look at Orcus and the person behind it. The comments at the bottom of the article are interesting and show the developer trying to justify what he did. That wasn’t enough to close the product. That news came on Jan 16, 2019. According to the site, the Orcus Project is closed although the software and source code is being made available free.
The developer also claims that there is a kill switch for security researchers to stop all badly behaving Orcus RAT servers that they find. He also asks that they don’t take down all instances so that legitimate users are not penalised. It will be interesting to see how that plays out.
Enterprise Times: What does this mean
Any administrator tool can be used for good or bad but that doesn’t mean they should not be created or used. However, supporting people who are openly using the product for bad calls the whole purpose of the tool into question. More importantly, since the Krebs piece back in 2016, Orcus RAT has been named in a number of malware campaigns. It has also been tracked and monitored by several security companies.
Defending against these attacks is not simple. Proper patching and deployment of security software is one step. Another is to limit the privileges that users have to what they need. This won’t completely defeat UAC attacks but it does make the attacker work harder.
Now that the code has been made freely available, Morphisec says it expects to see more attacks using Orcus RAT.