Orcus Remote Access Trojan

First observed in 2016, Orcus is a .NET-based remote administration tool whose author has indicated that it was created for illegitimate purposes.

Threat ID:: CC-2887
Category:: Trojan
Threat Severity:: Medium
Threat Vector:: Phishing, Email spam, Drive by download
Published:: 6 February 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in 2016, Orcus is a .NET-based remote administration tool whose author has indicated that it was created for illegitimate purposes.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

In 2019, the group who managed the tool announced they were no longer developing it and released the latest build version on several dark net forums.

At the time of publication, Orcus has been distributed through spam or phishing campaigns, watering hole attacks, drive-by downloads or embedded within web content. Once on a device, it will use a User Access Control bypass to identify and hijack the highest privileged process currently active in the affected device before connecting to a command and control server.

Despite being offered as a 'legitimate' tool and having the expected functionality for a administration tool, Orcus has the following malicious capabilities:

Perform distributed denial-of-service attacks.
Extract browser credentials and cookies.
Spoof file extensions.
Log keystrokes.
Record camera and microphone input.
Disable camera activity indicators.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:51 pm