Attackers Target Govt and Financial Orgs With Orcus, Revenge RATs

Multiple malicious campaigns actively targeting government and financial entities around the world have been spotted while backdooring their victims' computers using Revenge and Orcus Remote Access Trojans (RAT).

All these separate campaigns are linked together by several unique tactics, techniques, and procedures (TTPs) including but not limited to command and control (C2) infrastructure obfuscation, analysis evasion, and persistence techniques leveraged by fileless malware strains.

As the Cisco Talos researchers who made this discovery further found, a threat actor has been using Revenge RAT and Orcus RAT payloads as part of ongoing "malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies."

Revenge RAT is a publicly available RAT released during 2016 on the Dev Point hacking forum, known to be capable of opening remote shells, to allow the attacker to manage system files, processes, registry, and services, to log keystrokes, to dump victims' passwords, and to access the webcam, among many others.

Orcus was advertised as a Remote Administration Tool since early 2016 but given that it also has Remote Access Trojans capabilities it is now also considered to be a malicious tool capable of loading custom plugins.

RAT payloads and obfuscated C2 infrastructure

The campaigns' operators use Dynamic Domain Name System (DDNS) to conceal their C2 servers, a popular method of hiding command and control infrastructure also observed in the case of other attacks deploying RATs on targeted machines.

However, the bad actors behind these series of attacks add an extra level of refinement by also pointing the DDNS "to the Portmap service to provide an additional layer of infrastructure obfuscation."

This service makes it possible to connect to systems protected by firewalls or that can't be directly accessed from the Internet via port mapping.

As the researchers also found, the Portmap service is also being abused and included by other actors in several other malware families C2 connectivity scheme.

The Revenge and Orcus RAT payloads distributed by the attackers using these twice-obfuscated C2 servers are modified versions of previously leaked variants, the actors having introduced only small changes to the codebase just enough to evade detection based on previously discovered samples.

The client IDs found in the source code of both are also identical, using the CORREOS string (with the Revenge RAT version being base64 encoded) as the researchers found, which is yet another hint pointing at the two RATs being deployed by the same threat actor.

RAT payload delivery

The attackers used two methods to deliver their malicious payloads via phishing emails, in the beginning abusing the SendGrid email delivery service to have the targets redirected to their malware distribution servers, while in campaigns discovered after they switched to embedding the payloads as malicious attachments.

The victims' systems are infected with the Orcus and Revenge RATs using malware loaders, with one variant arriving in the form of a PE32 executable while the other is a .bat downloader script, both dropped via malicious ZIP archives.

The first loader version is camouflaged as a PDF since it has a .pdf.exe file extension, with the .exe part being hidden by taking advantage of the Windows default setting of hiding common extensions and by using an Adobe Acrobat icon.

After the SmartAssembly .NET loader is launched by the targets, it will extract the RAT payload from its resource section and will inject the resulting PE file within an additional instance of itself, thus executing it in memory and avoiding writing it to the compromised machine's disk.

Subsequently, the loader will also gain persistence onto the infected computers by adding a shortcut to its executable into the Windows Startup folder, and by copying itself to the Roaming directory and executing the copy every minute with the help of a bat file.

The .bat downloader script, on the other hand, would download a .js script to the victim's PC which adds a registry entry designed to load a Revenge RAT payload using a PowerShell decoding script.

"Organizations should leverage comprehensive defense-in-depth security controls to ensure that they are not adversely impacted by attacks featuring these malware families" conclude the Cisco Talos researchers. "At any given point in time, there are several unrelated attackers distributing these RATs in different ways."

Indicators of compromise (IOCs) including malware sample hashes, as well as domains and IP Addresses used in the attacks are available at the end of Cisco Talos' report on the Revenge and Orcus RAT campaigns.

RATs are having a field day

In related news, malware peddlers have been using multiple RAT flavors to target various types of targets this year alone, with Adwind (also known as AlienSpy, JSocket, jRAT, and Sockrat) having been used in attacks targeting utility industry entities last week.

Also during August, a combo of new backdoor and RAT malware dubbed BalkanDoor and BalkanRAT by the ESET researchers was spotted while being used in campaigns targeting multiple entities from the Balkans.

A new kit for web-based attacks dubbed Lord EK was also deployed the same month as part of a malvertising chain that abused the PopCash ad network to drop an initial njRAT payload after exploiting an Adobe Flash use-after-free vulnerability.

Attackers used a new RAT malware dubbed LookBack by the Proofpoint Threat Insight Team researchers who detected it while being delivered via a spear-phishing campaign in targeting the employees of three U.S. entities from the utility industry.

Microsoft also issued an alert in June about an ongoing spam campaign attempting to infect Korean targets with FlawedAmmyy RAT malware payloads delivered via malicious XLS attachments.

Earlier that month, Cofense researchers noticed another phishing campaign distributing another new malware they tagged as WSH RAT, actively used to attack commercial banking customers with information-stealing and keylogging capabilities.

Comments are closed.