HQ/EMEAFind out how we can help your business
Researchers recently uncovered details about the Orcus RAT campaign that uses a cracked version of the Hangul Word processor to propagate. Hangul is a Korean word-processing program like MS Word.
Orcus is a remote access trojan that enables its operators to control an infected system remotely. Researchers first discovered this malicious entity in April 2016, which already had unique features and capabilities. Analysts claimed that Orcus originated in Canada.
Some of the abilities offered by Orcus are keylogging, running commands, and information harvesting.
The Orcus RAT mixed with XMRig CoinMiner is hiding in a cracked Word processor.
According to investigations, the Orcus RAT operators tried to launch their malware and an XMRig coinminer obfuscated inside a cracked version of the Hangul Word processor. The group uploaded the malicious packages to multiple file-sharing websites for propagation and infection.
Additionally, the new version of Orcus RAT includes a mechanism that could bypass the detection of AV software. Moreover, the malware could use PowerShell commands on the task scheduler to constantly install patches.
Currently, the threat actors distribute their RAT on file-sharing websites and torrents since it is the common channel used by malicious groups to target Koreans.
During an infection process, the initial malware installed is a downloader that installs various types of malware strains based on certain conditions. Subsequently, the malware collects basic information from the targeted system, such as username and IP address, before commencing the installation.
Furthermore, the Orcus RAT operators install the NirCMD in the compromised system to bypass detection from antivirus software. The RDP control ability of Orcus RAT also includes installing RDP Wrapper and developing an account called OrcusRDP. These abilities could allow the threat operators to log in to the system remotely.
Lastly, this remote access trojan utilised the TLC protocol for communicating with its command-and-control server. Hence, they could encrypt packets by default.
As of now, users should be wary when operating executables downloaded from file-sharing platforms. Experts advise that users should always download essential products from official websites. The Orcus RAT malware is currently heavily propagated by its operators via popular cracked software, so users should be careful of downloading such tools.
