Ramadan-themed Coca-Cola video used to distribute Orcus RAT in a recent attack campaign

• A threat actor group named PUSIKURAC is found to be behind this malware campaign.
• Orcus RAT uses the UAC bypass mechanism to avoid detection by security software.

A new malware campaign that is used to distribute the Orcus Remote Access Trojan (RAT) has been discovered recently. A threat actor group named PUSIKURAC is found to be behind this campaign and is initiated by injecting the malware in a Ramadan-themed Coca-Cola video.

Modus Operandi

According to a cybersecurity vendor Morphisec, the attackers hide the Orcus RAT inside a Coca-Cola video. Once the user clicks on the video, a series of downloads and processes are initiated. This includes:

• Using a User Access Control (UAC) bypass technique to search for and hijack a process with the highest privileges on the machine;
• Using the discovered-process to download the infected video;
• Downloading and executing malware that comes attached to the video;
• Gathering data and sending it back to the C2 servers.

Researchers noted that Orcus RAT has been using the UAC bypass mechanism over the past two years to avoid detection by security software.

“This threat actor specifically focuses on information stealing and .NET evasion. Based on unique strings in the malware, we have dubbed the actor PUSIKURAC. Before executing the attacks, PUSIKURAC registers domains through FreeDns services. It also utilizes legitimate free text storage services like paste, signs its executables, heavily missuses commercial .NET packers and embeds payloads within video files and images,” the Morphisec researchers said in a blog post.

A successful attack can enable the Orcus trojan to do perform several nefarious activities. This includes stealing browser cookies and passwords, launching server stress tests for DDoS attacks, disabling the webcam activity, recording microphone input, spoofing file extensions, and logging keystrokes.