The ASEC analysis team has recently discovered that Orcus RAT is being distributed on file-sharing sites, disguised as a cracked version of a major Korean word processing program like Microsoft Office Word.

Orcus RAT - quick overview

Orcus RAT, formerly known as Schnorchel, allows for remote control of infected systems. 
  • First seen on April 1, 2016, it stands out among other RATs for its unique features and advantages, such as its modular structure. Canada is believed to be the origin of the malware.
  • The malware is capable of keylogging, executing commands, and collecting account and webcam information. 

Diving into details

In the ongoing campaign, hackers attempt to deploy an Orcus RAT variant as well as XMRig CoinMiner disguised as a cracked version of Hangul Word Processor 2022. The malicious packages were uploaded to multiple file-sharing sites for distribution and infection.
  • The new version of Orcus RAT features a complex mechanism for evading detection by antivirus software and utilizing PowerShell commands on the task scheduler to periodically install updates. 
  • It is being distributed on file-sharing sites and torrents, which are the primary channels used by threat actors to target Korean users.

The group behind this distribution is believed to be the same one that previously spread BitRAT and XMRig CoinMiner, which were also disguised as Windows license verification tools on file-sharing sites.

Modus operandi

The initial malware installed is a downloader that installs different types of malware based on certain conditions.
  • Before proceeding with the installation, it collects basic information such as the infected system's username and IP address, and sends it via Telegram API.
  • To evade detection by antivirus software, the threat actors are installing NirCmd in the infected system.
  • The RDP control feature of Orcus RAT involves installing RDP Wrapper and creating an account named “OrcusRDP”, which the threat actor can use to log in remotely.
  • Orcus RAT uses the TLC protocol in communications with the C&C server, which encrypts packets by default.

The bottom line

ASEC advises users to be careful when running executables downloaded from file-sharing services and to download products from their official websites. The malware is being actively propagated and hence, exercising caution is imperative to staying safe from this threat.
Cyware Publisher

Publisher

Cyware