Orcus RAT peddled on underground hacking forums

Jul 6, 2016 09:30 GMT  ·  By

Orcus is the name of a remote administration tool (RAT), found recently in multiple malware samples discovered by the security researchers from MalwareHunterTeam.

These files were used to infect users with the client version of the RAT, which brought them under the control of its main operator.

Orcus RAT hides behind "legitimate business"

Orcus is advertised on its homepage as a remote administration tool, behaving similarly to TeamViewer and other applications.

Unfortunately, it's not as "clean" as those apps, since Orcus blatantly advertises illegal features, such as the ability to "recover" browser cookies and passwords from famous applications, launch server stress tests (DDoS attacks), disable the webcam activity light, record microphone input, spoof file extensions, log keystrokes, and many more.

Most of these features are provided as plugins to the main Orcus package, which is sold for $40 paid in Bitcoin or via a PayPal account.

According to the official website, the Orcus RAT is managed by Orcus Technologies. There was no registration number or any other type of official details regarding Orcus Technologies on the Orcus RAT website.

  Orcus Technologies is a registered business in Ontario, Canada. It is the brain child of Sorzus and Armada. The primary focus is networking and easy availability to network resources in a reliable technical model.  

Even if the Orcus team has a GitHub page and an official-looking website, the two men behind the RAT, Sorzus and Armada, personally advertised the Orcus RAT on HackForums.net, a famous forum for finding, buying, and selling hacks, exploits, and malware.

By doing so, the two have indirectly revealed the target audience their software was aiming for, practically admitting that "remote administration tool" is actually more of a "remote administration trojan" when you take all evidence into account.

Orcus RAT - technical details

According to Sorzus, Orcus is an RAT that can only infect Windows computers and utilizes a three-part infrastructure model. There's the Orcus administration panel, the Orcus client bot, and an intermediary server.

The infected bot and the Orcus admin use the server as a proxy to exchange commands and relay stolen information. Orcus buyers can use a GUI or a command-line client to interact with the clients.

This feature is similar to the "station" feature in the Blackshades RAT. Maybe Sorzus and Armada should learn from what happened to Michael Hogue and Alex Yucel, the creators of Blackshades, who were recently sentenced. While Hogue got off easy without any prison time, Yucel will have to spend 57 months in jail.

"Other RATs dont [sic] have the extra server part. Clients just connect directly to the administration. The method Orcus is using has a lot of advantages: You can host the server on a VPS and manage the clients from your Windows system, multiple administrations can connect so you can manage the clients together - they are synchronized," Sorzus adds.

Orcus internal structure
Orcus internal structure

Sorzus also says that Orcus "is completely written in Visual C# with the power of WPF" [Windows Presentation Foundation].

An Android app is also provided, in order for Orcus admins to manage their "clients." The app is available on the Google Play store since June 4, and at the time of writing, it has between 50 and 100 installs.

Orcus-laced malware samples found in the wild

Based on malware samples analyzed by MalwareHunterTeam, there appears to be an ongoing campaign of distributing Orcus RAT clients. Some of these samples are even distributing cracked versions of the Orcus client, meaning a few of the people behind these campaigns haven't even bothered to buy the RAT.

Some of these samples were signed with an invalid Apple, Microsoft or Notepad++ certificates. Here is a list of current C&C servers used in Orcus RAT operations, extracted from a list of over 40 different malware samples.

In some cases, some of these IPs lead back to CrypticVPN, a service previously tied to many cyber-crime operations. "Many skids used it before, looks like this is a good one for them," MalwareHunterTeam told Softpedia.

"And as you can see on the second image in the tweet, there are more DDNS [Dynamic DNS services] attached to it," he also added. "This can mean more than one actor uses it, or one actor with multiple domains."

In an email received following the publication of this article, a CrypticVPN spokesperson told Softpedia that their service strictly prohibits this kind of behavior and has started working with MalwareHunterTeam "to remove users of this software from our network as it violates our TOS."

The good news is that antivirus engines have a pretty good idea of how to classify Orcus RAT samples, and that's in the "bad boy" category.

It is unclear who's distributing these samples. Even if it's not Sorzus and Armada, RAT authors are almost always found as guilty as the people who use the malware, so the two might want to rethink their actions before their product becomes more widespread and catches the eye of law enforcement.

Below is a YouTube video of somebody demoing the Orcus RAT and a complete list of Orcus RAT current features.

UPDATE [July 8, 2016]: Added statements from CrypticVPN spokesperson.

Orcus RAT Features

Orcus RAT (10 Images)

Orcus admin panel
Orcus admin panelOrcus admin panel
+7more