Orcus RAT is being distributed on file-sharing sites disguised as a cracked Hangul Word Processor, linked to the same actor who previously pushed BitRAT and XMRig under a Windows license verifier guise. The campaign employs a multi-stage delivery chain with obfuscated PowerShell, 7z SFX installers, Google Docs downloads, and Telegram-based data exfiltration to deploy Orcus RAT and related malware on Korean targets. Hashtags: #OrcusRAT #HangulWordProcessor #BitRAT #XMRig #NirCmd #GoogleDocs #Telegram
Keypoints
- Orcus RAT distribution occurs on file-sharing sites and targets Korean users, with the same actor also distributing BitRAT and XMRig in prior campaigns.
- The dropper uses 7z SFX to create an installer and embeds encoded PowerShell commands to avoid detection by AV software.
- The installer adds Defender exceptions via Add-MpPreference to evade antivirus, illustrating deliberate defense evasion.
- A downloader stage checks for virtualized/analytical environments and installed anti-malware, then transmits basic host info over Telegram before proceeding.
- XMRig CoinMiner is installed with stealth parameters and game-detection logic, and can be forced to terminate security tools like V3 when running.
- Orcus RAT is deployed under conditions (Telegram or Visual Studio present) and uses a separate Orcus server for C2, offering remote control features, keylogging, webcam access, and RDP capabilities via an RDP wrapper.
MITRE Techniques
- [T1059.001] PowerShell β PowerShell commands are used during installation, including encoded commands in the 7z SFX installer. β[The installation script β¦ includes encoded PowerShell commands.]β
- [T1027.001] Obfuscated/Compressed Files and Information β The dropper uses obfuscated PowerShell and an encoded/scripted installation flow to evade detection. β[an obfuscated PowerShell command and run the actual installer in the βinstallβ folder.]β
- [T1562.001] Impair Defenses β Defender evasion via Add-MpPreference to exclude certain processes/paths; includes a tactic to allow threats detected by Windows Defender. β[Add-MpPreference, certain process names and paths are set as exceptions to evade detection by Windows Defender Antivirus.]β
- [T1053.005] Scheduled Task β The PowerShell commands are registered in the Windows Task Scheduler to periodically install the latest malware. β[registers PowerShell commands on the task scheduler to periodically install the latest malware.]β
- [T1105] Ingress Tool Transfer β The malware downloads files from Google Docs as part of its payload delivery chain. β[downloads files uploaded to Google Docs.]β
- [T1497] Virtualization/Sandbox Evasion β The sample checks for a VM environment and terminates if in an analysis environment. β[The malware checks for a virtual machine environment and if the βasdmonβ process is running, and if it is determined to be an analysis environment, it is terminated.]β
- [T1021.001] Remote Desktop Protocol β Orcus RAT includes remote access capabilities, including RDP Wrapper and the creation of an OrcusRDP account. β[RDP Wrapper and creating an account named βOrcusRDPβ.]β
- [T1071.001] Web Protocols β C2 and data exfiltration leverage web protocols, notably Telegram API for sending data. β[transmits this information via Telegram API.]β
Indicators of Compromise
- [MD5] 516a2bde694b31735c52e013d65de48d, 6a1fc56b4ce8a62f1ebe25bf7bbe2dbd, and 2 more hashes (Downloader #1, Downloader #2)
- [File/Name] install.exe, software_reporter_tool.exe, Kb5019959.exe, Google Update.exe
- [C2/Domain] api.telegram.org (Telegram bot), minecraftrpgserver.com:27036, minecraftrpgserver.com:80, xmr.2miners.com:12222
- [Google Docs URLs] https://docs.google.com/uc?export=download&id=1GWm1TFpqTxungXVH0vlktkat5HilyBOJ, https://docs.google.com/uc?export=download&id=1FgV6vUZZX3XkERFlXDpKQHoo8qYL9r4z
- [Other] 74bdc2f671f86909527d8514e1f1f171 (Task Scheduler XML), ccf2d6c69a4e016cd19fa4ee7bc341ec (Task Scheduler XML)
Read more: https://asec.ahnlab.com/en/45462/