OrcusRat is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class
Orcusrat has been advertised as a Remote Administration Tool (RAT) since early It has all the features that would be expected from a RAT and probably
OrcusRat Complete Tutorial || Before discussing the details of this RAT family, let’s discuss how Orcus became a commercially sold RAT.
The attack uses multiple advanced evasive techniques to bypass security tools. In a successful attack, the Orcus RAT can steal browser cookies
The individuals behind OrcusRAT are selling the RAT by advertising it as a ‘Remote Administration Tool’ under a supposedly registered business
OrcusRat is advertised on its homepage as a remote administration tool, behaving similarly to TeamViewer and other applications. Most of these features
ORCUS RAT is the perfect RAT for everyone. It provides all standard features like Registry Editor, Webcam, Remote Desktop,… (a full list of all features
Cisco Talos recently discovered a threat actor that has been leveraging RevengeRAT and Orcus RAT in various malware distribution campaigns
Researchers have found modified versions of the Orcus and Revenge RATs being delivered through effective phishing campaigns
OrcusRAT is a Remote Access Trojan that is active since 2016. Orcus was developed by a malware author who goes under the name ‘Sorzus’. This RAT has been sold for $40 since April 2016, with the ability to build custom plugins. Orcus RAT is primarily distributed via spear-phishing emails and drive-by-downloads.
Capabilities of Orcus RAT
The Remote Access Trojan’s capabilities include:
- Keylogging and remote administration
- Stealing system information and credentials
- Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light
- Executing remote code execution and Denial-of-Service
- Exploring/editing registry
- Detecting VMs
- Reverse Proxying
- Real Time Scripting
- Advanced Plugin System
Orcus RAT distributed via decoy Word document
Researchers spotted a malspam campaign distributing Orcus RAT via malicious Microsoft Word documents.
- The phishing emails included a malicious MS Word document.
- Upon opening the document, an automatic download of a malicious RTF file is triggered.
- This RTF file deploys a remote code execution (RCE) exploit (CVE-2017-8759), which drops the Orcus RAT on the victims’ systems.
Orcus RAT targets Bitcoin investors
A phishing campaign disguised as email marketing for new Bitcoin trading bot dubbed ‘Gunbot’ distributed Orcus RAT.
- Phishing emails sent to the Bitcoin investors in the guise of email marketing for ‘Gunbot’ included a ZIP attachment.
- The ZIP attachment contained a Visual Basic script disguised as a JPEG image file.
- The malicious VB script downloads a binary that delivers and executes Orcus RAT.
Tax-themed phishing campaign
In, researchers spotted various tax-related phishing campaigns targeting the US taxpayers with a range of RATs including Orcus RAT, Netwire, and Remcos RAT.
Ramadan-themed Coca-Cola video distributes Orcus RAT
In researchers observed a malware campaign that distributed Orcus RAT inside a Ramadan-themed Upon clicking the video, a series of downloads and processes were triggered, which includes:
- Searching for and hijacking a process using a User Access Control (UAC) bypass technique
- Downloading and executing the RAT that comes attached to the video
- Harvesting data and sending it back to the attackers’ C&C servers
Revenge RAT and Orcus RAT
In a recent malspam campaign, researchers spotted a threat actor distributing two popular remote access trojans to launch attacks against different organizations across various sectors. The targeted sectors include financial services, information technology, consultancies, and government entities.
The malspam emails purported to come from various authorities such as the Better Business Bureau (BBB), Australian Competition & Consumer Commission (ACCC), Ministry of Business Innovation & Employee (MBIE) and other regional agencies.
The emails included ZIP archives that contained malicious batch files responsible for retrieving the malicious PE32 file and dropping Orcus RAT and Revenge RAT onto victims’ systems.
Download OrcusRat Free
ZIP PASSWORD: www.mastescyber.com