Bitcoin investors targeted by Orcus RAT in new phishing campaign

Bitcoin has turned out to be one of the most valuable cryptocurrencies in the world with over $15,000 (€13,170) current value. This is great news for those who invested in Bitcoin but even better news for hackers and other malicious elements.

Old RAT New Capabilities

While Bitcoin’s value is up to the sky, cyber threats against its investors are also gaining momentum. Recently, the researchers at IT security firm Fortinet discovered a new sophisticated phishing campaign in which attackers are using Orcus remote access trojan (RAT) to target Bitcoin investors by offering Gunbot, a bot developed by GuntherLab (also known as Gunthy) for Bitcoin trading.

However, originally, the phishing email comes with an attached .zip file called “sourcode.vbs” (VB script) and contains Orcus RAT aiming at stealing personal data and investments of unsuspecting users. Once downloaded, the file extension suggests it is a JPEG image file, but actually, it is an executable file. Researchers imply that cybercriminals behind the scam had no intention of hiding their behavior or had no intention to do so as far as a victim executes the file and falls for the scam.

Fake email that attackers are sending using @bltcolntalk.org email to trick users as if the email cames from Bitcointalk, a Bitcoin forum. Credit: Fortinet

According to a blog post by Floser Bacurio and Joie Salvio of Fortinet “At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures. After further analysis, however, we found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System.”

“As we dug deeper into the decompiled code, we found an access reference to a big chunk of data named “Mastering” from a resource named “DVDImageBurn.” It contains encrypted binary data from a resource name “Mastering” that will be decrypted using a hardcoded key. As it turns out, this data is another .NET PE executable that is loaded and executed directly to memory.”

Furthermore, Orcus is also equipped with keylogging capabilities that let attackers steal everything a victim types on their device. It can disable the light indicator on webcams and monitor victim’s activities without trigging any alert moreover Orcus can implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process.

“In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”