A Peculiar Case of Orcus RAT Targeting Bitcoin Investors

Bitcoin has been the talk of the past few years, at least as far as crypto-currency is concerned, primarily due to its growing acceptance and steady rise in value ($17,740 USD as of writing.) Inevitably, financial market traders and investors have found this to represent a good opportunity for profits.

However, active trading in bitcoin, as in any currency in the financial market, generally requires a great deal of attention in order to maximize profitability. Throw the emotions involved with every trading decision into the mix and it can become a stressful ordeal. Hence, the advent of automatic trading applications, popularly known as trading bots.

In simple terms, these bots monitor bitcoin price differences between different trading platforms. If an opportunity for profit appears, they automatically buy or sell bitcoin between the platforms, effectively arbitraging between the two. The criteria for an opportunity are still based on parameters set by the user though. So obviously, they are not fully autonomous.

Bitcoin trading bots, or trading bots in general, however, are not at all new. But with bitcoin’s increasing value and popularity, the market for them is.

And as expected, as this parade of bandwagons grows larger, malware threat actors are ready to jump on to get a piece of the profit. As evidence of this, FortiGuards Labs’ Kadena Threat Intelligence System (KTIS) has spotted a new phishing campaign that targets bitcoin investors by offering Gunbot, a relatively new bitcoin trading bot application. However, instead of being a tool designed to ensure more profit, it serves an Orcus RAT malware that results in the loss of investments and more.

Spam

The email spam arrives as an announcement of a new bitcoin trading bot called Gunbot, which is a product developed by GuntherLab or Gunthy.

Fig1. Spam email disguised as a GunBot promotion

An attachment with the filename sourcode.vbs.zip is actually an archive that contains a simple VB Script with the same filename, which when executed downloads a file from https[:]//bltcointalk.com/flashplayer27pp_ka_install.jpeg. Although the extension suggests it is a JPEG image file, it is actually a PE binary file.

The comments on the script imply that the threat actors behind this campaign have no intention of hiding its behavior. It’s possible that they lack the technical knowledge and simply bought the components used in this campaign elsewhere. It can also be that they just simply don’t care as long as there’s someone out there that double-clicks the file without any inspection, which may well be the case.

Fig2. Commented VBScript downloader

Trojanized Inventory System

At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures. After further analysis, however,we found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System.

Fig3. Comparison between the downloaded executable and the TTJ-Inventory System source code

As we dug deeper in the decompiled code, we found an access reference to a big chunk of data named “Mastering” from a resource named “DVDImageBurn”. It contains encrypted binary data from a resource name “Mastering” that will be decrypted using a hardcoded key. As it turns out, this data is another .NET PE executable that is loaded and executed directly to memory.

Fig4. Decrypt Resource Data

Fig5. Loading the decrypted MZ application

To make sure that only one instance of the malware is running, the system checks for the existence of a mutex named “dgonfUsV”.

Before the malware proceeds to its main payload, it first checks to see if it’s running from the path %APPDATA%RoamingMicrosoftWindowsDwiDesknethost.exe. If not, it creates a copy of itself in the said directory and executes from there instead.

We now turn our analysis to the previously mentioned embedded executable. Once it is loaded and executed in memory, it ensures that the malware is executed upon reboot. A shortcut file is created in the same directory which points to the newly created path. The path of the shortcut file is added as new entry HKEY_CURRENT_USER\SoftwareMicrosoftWindows|CurrentVersionRunOnce with the value name “Load”.

Fig6. Creating Auto Start Registry

This executable further contains three embedded PE executables in its resource where the actual Orcus RAT server can be found.

Fig7. Payload Resource File

• M – Orcus RAT server
• PkawjfiajsVIOefjsakoekAOEFKasoefjsa – persistence watchdog
• R – RunPE module

The RunPE module is not only able to execute other modules without writing their physical files in the system, but also to execute them under legitimate executables. This is usually done by executing an application in suspended mode, and then replacing the new process’ memory with the malicious code before resuming. It’s a common stealth technique. In this case, it uses components of the Microsoft .NET framework, MSBuild.exe and RegAsm.exe, as shells to hide their malicious processes. However, as shown in the next figure, the path to the mentioned executables are hardcoded, which means that if the system has a different version of .NET framework (different path) the malware will not be able to proceed.

Fig8. Loading Orcus RAT by Process Hollowing

The module from the PkawjfiajsVIOefjsakoekAOEFKasoefjsa resource acts as a watchdog to keep the malware running by repeatedly executing it unless the client decides to stop it by dropping ”stop.txt” in its directory.

Fig9. Process Persistence

Putting The ‘T’ in RAT

Fig10. Decompiled Orcus binary showing command modules

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.

Basically, if a server component gets “installed” to your system, the person on the other side is practically in front of your machine while seeing and hearing you at the same time – yes, it can activate your microphone and webcam even without you knowing.

Orcus, although advertised as a Remote Administration Tool, offers features that are beyond that scope.For instance, the user has the ability to disable the light indicator on webcams so as to not alert the target that it’s active. It can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process. This makes it harder for targets to remove it from their systems. A plugin that can be used to perform Distributed Denial of Service (DDOS) is also available directly from their repository. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.

Interestingly, this is not the first time that Orcus’ self-claimed status of being a benign tool has been questioned. In July of 2016, KrebsonSecurity published an article tackling this same issue.

The One-letter Modus

It is obvious that the malware download site https://bltcointalk.com is trying to imitate the bitcoin forum bitcointalk.org. When accessed, the website is just an open directory containing the previously mentioned as well as an archive with the filename . Unfortunately, in the middle of writing this article, the contents of the website changed before we could download an updated copy.

Fig11. blcointalk.com contents listed on Dec. 1

During our access on Dec. 4, flashplayer27pp_ka_install.jpeg was no longer hosted. However, a new file with the filename Gunbot.XT.Edition.-.Windows.package.zip had been uploaded to the server and this time we were able to take a deeper look.

Fig12. bltcointalk.com contents listed on Dec. 4

As it turns out, the contents of the package, which is disguised as the GunBot tool, contains a similar trojanized “Inventory System” as well as the VB Script downloader. We speculate this small change in the setup is being (will be) used in another campaign.

Fig13. Fake GunBot package contains similar malicious files

Checking the Whois information of the domain, we found its registrant to be “Cobainin Enterprises” and other domains are laos registered under that entity.

Fig14. Whois information of bltcointalk.com

It was no surprise, therefore, that we found other domains that use similar domain names with replaced letters. When accessed, most of the sites display the “We’ll be back soon!” message, which is the same page that is displayed when “index.phptopic=3D1715214.0/” is accessed in “bltcointalk.com”.

Fig15. Domains registered under “Cobainin Enterprises”

Fig16. Maintenance message from some of the “inactive” domains

It’s possible that the threat actors cycle these sites between their malware campaigns. One of the websites on the list, “qunthy.org” leads to a fake website for Gunbot. On the legitimate Gunbot website, interested clients are redirected to the developer’s Telegram profile, which is done by clicking the “CONTACT” button. In the case of the fake website, that button is replaced with a “GET IT” button that can be triggered just by hovering on it. This leads to a file hosting website, “http[:]//desfichiers.com/?9onk0nboih”. However, as of this writing, the file pointed to by the URL no longer exists , however it seems safe to assume that it’s nothing benign.

Fig17. Official website of Gunbot

Fig18. Fake website of Gunbot

Fig19. Hosted file that no longer exists

Conculsion

The rise of Bitcoin to the top of the burgeoning cryptocurrency market has paved the way to the creation of bot trading applications such as Gunbot. Malicious counterfeit sites are sophisticated in terms of stealth and general infrastructure, and pose great risks to Bitcoin traders who may be tricked by its schemes.

In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.

-= FortiGuard Lion Team =-

Protection

1. FortiSandbox rates all the samples with High Risk without additional reconfiguration.
2. C&C’s and download sites are already blocked using Fortinet Web Filtering.

IOC

5a87b68d38993a429fedf258198dce24ddffe4e9ba5e20b11bc78d7d045e85ca – MSIL/Orcus.KAD!tr

457d8e6f3a4be23dd46c91bfc45c97c241bc741656d6192aca05dfeaecc17fa4 – MSIL/Orcus.KAD!tr

5ef25d21925b2b116548fcc21fd3d8e47f2e540aaffae124da50787d124e62d5 – MSIL/Orcus.KAD!tr

3941995e94d491968e95f19e6b0b0ded8b97084b219b722f6766a45e05f286db – MSIL/Orcus.KAD!tr

a949b92d82e66816f791683aa40e4b20cf132ec190c2936463a15068c31d0588 – MSIL/Orcus.KAD!tr

0a3280b85932d9aca690bb770a104c2d4123af37494a3af6ec469972f4907de6 – MSIL/Orcus.KAD!tr

41104f7d0087ea6e2a973f91ab2f18fce3ba5d31d81ab18434e3fcd24d871fef – MSIL/Orcus.KAD!tr

b98b1626071d7f6ef368813f4f5f6f77123c6243f6957be3aa3102aa012d5921 – MSIL/Orcus.KAD!tr

9e50bdad057ce4e3e386a44e3ffbd644f59e03c252b244e783d03684bf91bd11 – VBS/Agent.NYT!tr.dldr

C&C

172.111.160.213

Sign up for our weekly FortiGuard Labs intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.