The CofenseTM Phishing Defense CenterTM observed a malware campaign masquerading as an email complaint from the Better Business Bureau to deliver the notorious Orcus RAT, part of the free DNS domain ChickenKiller which we blogged about in 2015. Here’s how it works:
At first glance, the email body looks suspicious for two obvious reasons. Firstly, the recipient is greeted with “Dear Business Owner” instead of a personalized greeting. Secondly, the recipient is prompted to download a file via Sendgrid.
Fig 1: Email Body
The “Click to Download” link redirects the user to Sendgrid, a genuine communication platform that is often used in legitimate business applications and so is generally whitelisted by security appliances. This method allows threat actors to slip malicious URLs through the email gateway by disguising their true destination.
After visiting the Sendgrid URL, the target is redirected to hxxp://srv-15[.]directserver[.]us/?file=mega_9e2101605f, where the following zip archive is downloaded:
ComplaintNotification.zip (MD5: 0d8503911f5a8980ed0777f1fbb08c3d).
Extracting the archive reveals the file “Complaint_Notification.pdf.vbe.” The .pdf file extension is used to trick the target into believing it is a genuine PDF file, but on closer inspection, we can see that the file is actually an encrypted Visual Basic script with a file extension of .vbe.
Complaint_Notification.pdf.vbe (MD5: f169f117586e6955e2837c586344398f). Viewing the contents of the .vbe script, confirms our theory of an encrypted script:
Fig 2: Obfuscated VBS
After decrypting the script shown above, we are presented with a clean script:
Fig 3: Un-Obfuscated VBS
The Complaint_Notification.pdf.vbe uses WScript to retrieve the file orfin.exe from hxxps://www62[.]zippyshare[.]com/d/OzuQmXRu/41379/orfin[.]exe. The script should save the file as nc.exe and execute it with the parameters “-L -p 4444 -e cmd.exe,” which indicates the use of netcat (nc.exe) as a backdoor. On successful connection to the victim’s machine via netcat, the attacker would be presented with the command prompt.
However, the script fails to directly download the orfin.exe from Zippyshare as the download requires user interaction with the “Download Now” button.
Fig 4: Payload Page
Initially, it appears as if the script executed successfully, as a newly created file “nc.exe” appears on the victim’s machine. Trying to execute this file results in an error “The file or directory is corrupted and unreadable” and closer inspection reveals that it is in fact an HTML file.
Fig 5: nc.exe
Analyzing the source code of the HTML file (nc.exe) shows that the content of that file actually includes the entire structure of the Zippyshare page that is shown above. So instead of downloading the actual file, the script only downloads the contents of that particular Zippyshare site.
Due to the direct download restriction of Zippyshare, the automatic execution of this malware sample fails. However, we were able to continue our analysis by downloading the file orfin.exe (MD5: 683d515781a63071ac70428cd119c359) from the page by clicking the “Download Now” button on the right.
On execution of orfin.exe, the malware creates a hidden folder “hgfvfv” in AppData\Roaming. It then continues to create a copy of itself in that folder under the new name “gfdfvfe.exe.” Additionally, it drops a file gfdfvfe.exe.bat (MD5: a521efa0a32e69fdeaa3d2737f8a42c6), which checks whether the malware is running and starts the executable file if it is not.
Fig 6: exe.bat
Furthermore, the malware creates another executable file tmp.exe (MD5: c334e4208515152666cdadf9b8b4e420) in AppData\Roaming and runs it as a child process of itself. To get an insight into tmp.exe, we ran it against peframe, as shown below.
Fig 7: peframe output
Looking at the memory of Orfin.exe reveals numerous mentions of Orcus.
Fig 8: Memory dump
Additionally, the malware creates a folder called Orcus in AppData\Roaming, which includes several .dll files that are referenced by the malware.
Fig 9: Appdata directory
The malware is sending data in encrypted form to its Command and Control server at hxxp://qstorm[.]chickenkiller[.]com, with an IP address of 193[.]161[.]193[.]99.
Fig 10: C2 traffic
Chickenkiller[.]com is part of Free DNS, a dynamic domain sharing project that has been used extensively in the past for malicious purposes. Cofense highlighted the DNS abuse in a 2015 blog post: https://cofense.com/dns-abuse-by-cybercriminals/.
Based on the evidence gathered during analysis, we are confident that this malware is the remote administration tool called Orcus. Orcus has been around for many years and used to be marketed as a legitimate remote administration tool. However, the following functionalities demonstrate that it is capable of far more:
- Remote code execution
- Webcam monitor
- Disable webcam light
- Microphone recorder
- Remote administration
- Password stealers
- Denial of Service
- VM Detection
- Reverse Proxy
- Registry explorer/editor
- Real Time Scripting
- Advanced Plugin System
Indicators of Compromise
Observed Malicious Files:
File Name: ComplaintNotification.zip
File size: 683 bytes
File Name: Complaint_Notification.pdf.vbe
File size: 689 bytes
File Name: nc.exe
File Size: 188,935 bytes
File Name: orfin.exe
File Size: 1,897,272 bytes
File Name: gfdfvfe.exe.bat
File Size: 191 bytes
File Name: tmp.exe
File Size: 1,518,079 bytes
This threat was found in an environment running Proofpoint.
HOW COFENSE CAN HELP
89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense Center bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM. It includes a phishing simulation scenario, “Complaint Notification – Orcus RAT,” to educate users on the attack described in today’s blog.
When users see suspicious emails, they need an easy way to give incident responders visibility—remove the blind spot with Cofense ReporterTM.
Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Cofense Triage customers can see if they are impacted by the Orcus RAT by reviewing the rule: PM_Intel_Orcus_27623.
Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.
Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.