29 August 2019

Threat actors use Orcus, Revenge RATs in attacks against government and financial entities around the world

Threat actors use Orcus, Revenge RATs in attacks against government and financial entities around the world

Researchers at Cisco Talos spotted multiple ongoing campaigns targeting government entities, financial services organizations, information technology service providers and consultancies all over the world with the Revenge and Orcus Remote Access Trojans (RAT). The common trait of all of these observed campaigns is the use several unique tactics, techniques, and procedures (TTPs), including analysis evasion, the use of techniques involving "fileless" malware, and obfuscation techniques designed to hide comand and control (C2) infrastructure.

Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) on the threat landscape. The latter one is a publicly available RAT released during 2016 and can be leveraged to compromise corporate networks to establish an initial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information that can be monetized. Orcus RAT has been publicly advertised as Remote Access Tool since early 2016 but given that it also has Remote Access Trojan capabilities it is also can be used as a malicious tool capable of loading custom plugins.

The attackers behind this campaign use Dynamic Domain Name System (DDNS) in an attempt to obfuscate their C2 infrastructure. Although this is pretty popular method of hiding command and control infrastructure, in this case the attackers added another layer of protection pointing the DDNS over to the Portmap service to conceal their C2 servers.

Portmap is a service designed to facilitate external connectivity to systems that are behind firewalls or otherwise not directly exposed to the internet.

The Revenge and Orcus RAT payloads distributed by the attackers are slightly tweaked versions of previously leaked variants. The bad actors introduced only small changes to the codebase just enough to fool different antivirus products.

The researchers note that both Client IDs are pointing to the same CORREOS string (with The Revenge RAT version being base64 encoded), which is another hint indicating that both RATs are being deployed by the same threat actor.

“Organizations should leverage comprehensive defense-in-depth security controls to ensure that they are not adversely impacted by attacks featuring these malware families. At any given point in time, there are several unrelated attackers distributing these RATs in different ways. Given that the source code of both of these malware families is readily available, we will likely continue to see new variants of each of these RATs for the foreseeable future” concluded Cisco’s Talos team.

 

Back to the list

Latest Posts

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019
Emotet botnet returns to action, resumes malspam operations

Emotet botnet returns to action, resumes malspam operations

The new Emotet campaign targeеы Germany, the United Kingdom, Poland, Italy, and the USA.
17 September 2019