Getting persistent malware onto a corporate network is one of the main goals of many attack groups and they’re constantly looking for new methods to get the job done. But sometimes it’s the tried-and-true techniques that are the most effective. Researchers have been following the activity of one group that is using high-quality spear phishing emails targeting financial services companies and government agencies to install a modified version of the well-known Orcus RAT and exfiltrate a variety of sensitive data.
Remote access trojans (RAT) have been popular tools for many different types of attack groups for a long time. They usually offer a broad feature set and give attackers one of the things they covet most: persistent remote access to a target network. Some RATs are developed for the specific use of one person or group and don’t become public, but many others are sold widely in underground forums. In some cases, the source code for the malware also becomes public, and that was the case with the Orcus RAT and the RevengeRAT. Having the source code allows attackers to make modifications, which can not only make the malware more effective but also help it slip past defensive systems.
In a recent set of campaigns that have targeted a variety of high-profile organizations, one adversary group was using modified versions of both Orcus and RevengeRAT to steal information. The campaigns rely on targeted phishing emails that pretend to come from organizations such as the Better Business Bureau and inform the recipient about an alleged complaint against the company or agency. The messages contain either a malicious ZIP attachment or a link to an attacker-controlled server where the malware is hosted.
“A PE32 executable is inside of the ZIP archive. It needs to be executed by the victim to infect the system with Orcus RAT. The PE32 filename features the use of double extensions (478768766.pdf.exe) which, by default on the Windows operating system, will only display the first extension (.PDF.) The PE32 icon has been set to make the file appear as if it is associated with Adobe Acrobat,” Edmund Brumaghin and Holger Unterbrink of Cisco’s Talos Intelligence Group wrote in an analysis of the campaign.
“This loader (478768766.pdf.exe) is protected by the SmartAssembly .NET protector (see below), but can easily be deobfuscated via d4dot. It is responsible for extracting and decrypting the Orcus RAT. It extracts the Orcus executable from its Resource "人豆认关尔八七".”
After the extraction process, the malware goes through several more steps that ensure that the Orcus RAT file isn’t written in clear text to the compromised machine’s disk. It then creates a shortcut in the Startup directory that points to the executable, which gives the malware persistence on the machine. Some versions of the malware used in the campaigns also employed a variety of obfuscation techniques designed to make it more difficult for researchers to analyze the malware. Interestingly, the attackers in the campaigns that Talos analyzed also took the extra step of trying to disguise the command-and-control infrastructure by using Dynamic DNS and forwarding traffic to Portmap, which is a port-forwarding service.
“The adversaries used at least two different RATs in the campaigns which we have closely analyzed: Orcus RAT and RevengeRAT. For both RATs, the source code was leaked in the underground and several adversaries have used it to build their own versions,” the Talos analysis says.
“The adversaries changed the source code slightly. They moved the original code into separate functions and changed the execution order a bit plus added other minor changes like additional variables, but overall the code is still very similar to the leaked code. On the other hand, it is modified so that the resulting binary looks different for AVs.”
The type of phishing campaigns that are spreading these RATs have been deployed widely in the last few years, especially against organizations in highly regulated industries such as financial services, insurance, and government. A number of separate attack groups have been linked to this type of campaign and the techniques and malware families involved tend to vary and have also included ransomware infections.