Researchers at Cisco Talos spotted multiple ongoing campaigns targeting government entities, financial services organizations, information technology service providers and consultancies all over the world with the Revenge and Orcus Remote Access Trojans (RAT). The common trait of all of these observed campaigns is the use several unique tactics, techniques, and procedures (TTPs), including analysis evasion, the use of techniques involving "fileless" malware, and obfuscation techniques designed to hide comand and control (C2) infrastructure.
Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) on the threat landscape. The latter one is a publicly available RAT released during 2016 and can be leveraged to compromise corporate networks to establish an initial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information that can be monetized. Orcus RAT has been publicly advertised as Remote Access Tool since early 2016 but given that it also has Remote Access Trojan capabilities it is also can be used as a malicious tool capable of loading custom plugins.
The attackers behind this campaign use Dynamic Domain Name System (DDNS) in an attempt to obfuscate their C2 infrastructure. Although this is pretty popular method of hiding command and control infrastructure, in this case the attackers added another layer of protection pointing the DDNS over to the Portmap service to conceal their C2 servers.
Portmap is a service designed to facilitate external connectivity to systems that are behind firewalls or otherwise not directly exposed to the internet.
The Revenge and Orcus RAT payloads distributed by the attackers are slightly tweaked versions of previously leaked variants. The bad actors introduced only small changes to the codebase just enough to fool different antivirus products.
The researchers note that both Client IDs are pointing to the same CORREOS string (with The Revenge RAT version being base64 encoded), which is another hint indicating that both RATs are being deployed by the same threat actor.
“Organizations should leverage comprehensive defense-in-depth security controls to ensure that they are not adversely impacted by attacks featuring these malware families. At any given point in time, there are several unrelated attackers distributing these RATs in different ways. Given that the source code of both of these malware families is readily available, we will likely continue to see new variants of each of these RATs for the foreseeable future” concluded Cisco’s Talos team.