Orcus Remote Access Trojan

This trojan was first observed in 2016, Orcus is a .NET-based remote administration tool whose author has indicated that it was created for illegitimate purposes. In 2019, the group who managed the tool announced they were no longer developing it and released the latest build version on several dark net forums.

At the time of publication, Orcus has been distributed through spam or phishing campaigns, watering hole attacks, drive-by downloads or embedded within web content. Once on a device, it will use a User Access Control bypass to identify and hijack the highest privileged process currently active in the affected device before connecting to a command and control server.

Despite being offered as a ‘legitimate’ tool and having the expected functionality for a administration tool, Orcus has the following malicious capabilities:

  • Perform distributed denial-of-service attacks.
  • Extract browser credentials and cookies.
  • Spoof file extensions.
  • Log keystrokes.
  • Record camera and microphone input.
  • Disable camera activity indicators.

Indicators of Compromise

IP Addresses

  • 104[.]24[.]110[.]52
  • 159[.]8[.]77[.]62
  • 172[.]111[.]160[.]213
  • 192[.]253[.]242[.]196
  • 193[.]56[.]28[.]157
  • 194[.]5[.]98[.]139
  • 208[.]123[.]116[.]2
  • 208[.]123[.]116[.]44
  • 212[.]92[.]127[.]32
  • 3[.]4[.]0[.]8
  • 40[.]117[.]190[.]72
  • 40[.]85[.]179[.]199
  • 77[.]67[.]85[.]11
  • 79[.]177[.]231[.]128
  • 88[.]179[.]13[.]16
  • 88[.]179[.]93[.]85

URLs

  • 7ep7abrkuwzpcv3l[.]in
  • 7ep7abrkuwzpcv3l[.]onion
  • archive[.]is
  • assembly[.]name
  • battle[.]net
  • bit[.]ly
  • bitcointalk[.]org
  • bltcointalk[.]com
  • bltcointalk[.]org
  • bltcolntalk[.]org
  • chickenkiller[.]com
  • crabdance[.]com
  • crackedparadise[.]xyz
  • dedicatedpanel[.]net
  • desfichiers[.]com
  • exceptionless[.]io
  • fkqzda67aavjkhui[.]onion
  • gandi[.]net
  • hostingkartinok[.]com
  • http80[.]info
  • hxxp://bit[.]ly/2FRI9rE
  • jabber[.]ru
  • johnrevesz[.]com
  • l3[.]world
  • l3world[.]in
  • lordarmada[.]info
  • nootropicplace[.]com
  • orcus[.]pw
  • paste[.]ee
  • paste[.]ee/r/bOZW3
  • paste[.]ee/r/O53RV
  • pomf[.]pyonpyon[.]moe/ggesuy[.]jpg
  • pomf[.]pyonpyon[.]moe/wmtqck[.]mp4
  • poulty55[.]chickenkiller[.]com
  • pyonpyon[.]moe
  • rgho[.]st
  • rightinquirer[.]com
  • rtn-team[.]cc
  • salesgroup[.]top
  • salesgroup[.]top/Micro18/
  • sendspace[.]com
  • sparky384[.]org
  • syswow32batch[.]su
  • syswow32batch[.]su/WOW/
  • tcointalk[.]org
  • tcolntalk[.]org
  • unthy[.]org
  • vb[.]net
  • weirdly[.]crabdance[.]com
  • wex[.]nz
  • x[.]nz
  • xploit[.]in
  • xytjqcfendzeby22[.]onion

Email Addresses

MD5 File Hashes

  • 09751bf69d496aaa3c92df5ed446785b
  • 2091f8a68be181b0149c83dcbf2cfc05
  • 913967b216326e36a08010fb70f9dba3
  • 9c9de9187f51496760209c6b41502314
  • b4136b21b9e95fd1fa9c52bd897f4d2f
  • b94c7cc8d3705911f14618270a27e9d3
  • dcda34c58b06120757e907bedb561c2c
  • e6fcf516d8ed8d0d4427f86e08d0d435

SHA1 File Hashes

  • b9fc7852c2aec5b2e2dc97cacf0aa6bf4aefa470
  • c7691731583ab7890086635cb7f3e4c22ca5e409
  • d4a23d81f784cb02d29f9e898213ea0184f963f3
  • 161307cd9fa201256b0d17d9f3085e78f32d642a

SHA256 File Hashes

  • 26d5dadb8fec5f13b488f0532dbcf4d9cb4331ad1b7e7277ac9331fa39275528
  • 4056ee5b23e47d172b48c84ceb5b6eca5ee68cf839dc7e5f28e984005ed7dcea
  • 44996598c59fe3b9ff3b5cbe4a6777cc02785a60c52f203c7d3e063f77eb259d
  • 6554fabddabac2b14cb3209393a13471e7fe985750f1a9a8f030d1ebbc8dff35
  • 6f84336dea676298f50c511311020d5515d2aafd16ba9ff2cbc5519773062365
  • 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
  • b77189c68bd0b069c6d577b6e215208d2ee57d0a82265457e05935c7afdc3257
  • d4e86cba89ef74792284df73787833d0afe2ff0756f22b3a0adc10b2f219afa9

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: