Cybercriminals use the popular RAT Orcus and Revenge to attack governmental organizations

Researchers at Cisco Talos discovered a number of malicious attacks targeting governmental and financial organizations around the world. As part of these attacks, cybercriminals used the Revenge and Orcus tools.

According to the researchers, several unique tactics, methods and procedures, including obfuscation of the C&C infrastructure, evasion of analysis and methods of ensuring persistence using file-free malwares, interconnect all campaigns.

Revenge is a publicly accessible tool for remote access (RAT), published in 2016 on the Dev Point forum. It is able to open remote shells, allowing an attacker to manage system files, processes, registry and services, detect keystrokes and reset passwords of a victim, as well as gain access to a web-camera.

Orcus is a remote administration tool, but it also has the capabilities of a remote access trojan and can load custom plugin.

“Revenge RAT and Orcus RAT are two of the most popular RATs in use across the threat landscape and will likely continue to be heavily favored for use during the initial stages of attacks”, — report Cisco Talos specialists.

The campaign operator uses a dynamic domain name system (DDNS) that points to the Portmap service to hide the C&C infrastructure. The service allows connecting to systems protected by firewalls or which cannot be directly accessed from the Internet through port mapping.

The Revenge and Orcus samples used in the attacks are modified versions of the previously leaked variants. Attackers made only small changes to the code, sufficient to trick antiviruses.

Malicious messages spread through phishing emails; attackers delivered them using two methods.

Read also: Data leak affected 14 million customers of Hostinger service

The first is using SendGrid’s email delivery service to redirect victims to malicious servers.

The second method is spreading the malware through malicious attachment. To infect systems, two bootloader options were used. The first was an executable file in PE32 format, and the other was a .bat file.

The first bootloader was masked as a PDF file. It downloaded the RAT from his resource section and embedded the PE file in his additional copy, thus executing it in memory and avoiding writing to the disk of a compromised machine. A .bat downloader downloaded a js script to the victim’s computer, adding a registry entry for loading Revenge using a script PowerShell.

Cisco Talos: What next?

Organizations should leverage comprehensive defense-in-depth security controls to ensure that they are not adversely impacted by attacks featuring these malware families. At any given point in time, there are several unrelated attackers distributing these RATs in different ways. Given that the source code of both of these malware families is readily available, we will likely continue to see new variants of each of these RATs for the foreseeable future.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button