Morphisec: A new cyber attacks campaign by PUSIKURAC threat actor is using the Orcus RAT to steal information
A new cyber attacks campaign to steal informations is using Coca Cola brand. It has been analyzed by Morphisec cyber security experts. It aims to deliver the Orcus Remote Access Trojan (RAT) with targeted attacks and it’s ongoing. If successful, it can steal browser cookies and passwords, launch server stress tests (DDoS attacks), disable the webcam activity light, record microphone input, spoof file extensions, log keystrokes and more. The forensic data showed a high correlation to additional samples in the wild, indicating a single threat actor is behind multiple campaigns, including this one. According to the company, It specifically focuses on information stealing and .NET evasion. “Based on unique strings in the malware, we have dubbed the actor PUSIKURAC,” is written on Morphisec blog. “Before executing the attacks, PUSIKURAC registers domains through FreeDns services. It also utilizes legitimate free text storage services like paste, signs its executables, heavily missuses commercial .NET packers and embeds payloads within video files and images”.
The cyber security experts: The running process with the highest privileges downloads a legitimate Ramadan-themed Coca-Cola advertising video, which contains an embedded .NET Orcus
RATAccording to Morphisec, the cyber attacks chain starts with a persistent VBscript that executes a PowerShell script. It downloads a .NET executable obfuscated and encrypted by ConfuserEx. The downloaded executable performs known UAC bypass through event viewer registry, hijacking to get the highest privileges. The running process with the highest privileges downloads a legitimate Ramadan-themed Coca-Cola advertising video, which contains an embedded .NET Orcus RAT. Moreover, each stage of the attack includes additional obfuscation and custom encryption steps. The .NET downloader is signed by a non-valid Notepad++ certificate. It’s encrypted by a known obfuscation framework (ConfuserEx) and further obfuscated by a custom algorithm that can transform strings representing binary number patterns to readable strings and byte arrays. The malware also has the functionality of downloading additional stages from paste.ee & bit.ly under certain conditions.