win.orcus_rat (Back to overview)

Orcus RAT

URLhaus      

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.

References
http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/
https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors
https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html
https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/
https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/
https://orcustechnologies.com/
https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html
Yara Rules
[TLP:WHITE] win_orcus_rat_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_orcus_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 0800 0a25110c6fbe 0800 0a25110d6fbf 0800 }
            // n = 5, score = 100
            //   0800                 | or                  ah, byte ptr [0xbc6f0b11]
            //   0a25110c6fbe         | or                  byte ptr [eax], al
            //   0800                 | or                  ah, byte ptr [0xbe6f0c11]
            //   0a25110d6fbf         | or                  byte ptr [eax], al
            //   0800                 | or                  byte ptr [eax], al

        $sequence_1 = { 72?? e2?? 70?? 1d04000a13 }
            // n = 4, score = 100
            //   72??                 |                     
            //   e2??                 |                     
            //   70??                 |                     
            //   1d04000a13           | ror                 byte ptr [eax], 0

        $sequence_2 = { 7f?? 0006 72?? e2?? 70?? }
            // n = 5, score = 100
            //   7f??                 |                     
            //   0006                 | ror                 byte ptr [eax], 0
            //   72??                 |                     
            //   e2??                 |                     
            //   70??                 |                     

        $sequence_3 = { 0800 0a25110a6fbb 0800 0a25110b6fbc 0800 0a25110c6fbe 0800 }
            // n = 7, score = 100
            //   0800                 | sbb                 eax, 0x130a0004
            //   0a25110a6fbb         | or                  al, 0x11
            //   0800                 | add                 eax, 0x2d720711
            //   0a25110b6fbc         | add                 byte ptr [eax + 0x6f], dh
            //   0800                 | add                 byte ptr [esi], al
            //   0a25110c6fbe         | sbb                 eax, 0x130a0004
            //   0800                 | add                 eax, 0x2d720711

        $sequence_4 = { 72?? e2?? 70?? 7f?? }
            // n = 4, score = 100
            //   72??                 |                     
            //   e2??                 |                     
            //   70??                 |                     
            //   7f??                 |                     

        $sequence_5 = { 00706f 7f?? 0006 72?? }
            // n = 4, score = 100
            //   00706f               | add                 byte ptr [eax + 0x6f], dh
            //   7f??                 |                     
            //   0006                 | add                 byte ptr [esi], al
            //   72??                 |                     

        $sequence_6 = { 1d04000a13 0c11 051107722d e2?? 70?? }
            // n = 5, score = 100
            //   1d04000a13           | add                 byte ptr [esi], al
            //   0c11                 | adc                 dword ptr [edi], eax
            //   051107722d           | adc                 dword ptr [eax], eax
            //   e2??                 |                     
            //   70??                 |                     

        $sequence_7 = { 0800 0a25110a6fbb 0800 0a25110b6fbc 0800 0a25110c6fbe }
            // n = 6, score = 100
            //   0800                 | add                 byte ptr [ebp + edi*4 + 0x860000], bl
            //   0a25110a6fbb         | add                 eax, 0x2d720711
            //   0800                 | add                 byte ptr [esi], al
            //   0a25110b6fbc         | or                  byte ptr [eax], al
            //   0800                 | or                  ah, byte ptr [0xba6f0911]
            //   0a25110c6fbe         | or                  byte ptr [eax], al

        $sequence_8 = { 70?? 1d04000a13 0c11 051107722d e2?? 70?? }
            // n = 6, score = 100
            //   70??                 |                     
            //   1d04000a13           | sbb                 eax, 0x130a0004
            //   0c11                 | or                  al, 0x11
            //   051107722d           | add                 eax, 0x2d720711
            //   e2??                 |                     
            //   70??                 |                     

        $sequence_9 = { 8600 8cd2 0000 0537e5033c }
            // n = 4, score = 100
            //   8600                 | or                  byte ptr [eax], al
            //   8cd2                 | adc                 dword ptr [eax], eax
            //   0000                 | sbb                 eax, 0x130a0004
            //   0537e5033c           | add                 byte ptr [esi], al

    condition:
        7 of them
}
Download all Yara Rules