Fortinet security experts have found that the creators of a remote access Trojan have been targeting Bitcoin investors trying to benefit from the recent spike in its value.
The hackers send the investors phishing emails advertising the new Bitcoin trading the bot application “Gunbot”, created by GuntherLab or Gunthy. Nevertheless, what the email delivers to the investors instead, is the malicious Orcus RAT.
The phishing emails contain a .ZIP attachment featuring a simple VB script developed to download a binary masquerading as a JPEG image file. The Fortinet researchers claim that the hackers did not even try to hide their intentions, either because they didn’t want to or because they have no technical knowledge to do so.
The downloaded executable is a Trojanized version of an open source inventory system tool called TTJ-Inventory System. A hardcoded key is used to decrypt encoded code into another .NET PE executable which is loaded and executed to memory.
By checking for the existence of a mutex called “dgonfUsV”, the malicious threat ensures that it is the only instance which is running on the infected computer.
According to Fortinet, a RunPE module can execute modules without writing them to the system. Also, it is capable of executing the modules under legitimate executables by running applications in suspended mode and replacing the process’ memory with the malicious code after that. By repeatedly executing the malware, the persistence watchdog keeps the threat running.
Apart from having all the features such an application should include, the Orcus RAT can load plugins and execute C# and VB.net code on the remote machine in real-time.
“Basically, if a server component gets ‘installed’ to your system, the person on the other side is practically in front of your machine while seeing and hearing you at the same time – yes, it can activate your microphone and webcam even without you knowing,” the Fortinet experts say.
In addition, Orcus is capable of disabling the light indicator on webcams to spy on users and implementing a watchdog which restarts the server component. Besides, if the user tries to kill the process, the RAT can trigger a Blue Screen of Death (BSOD).
Also, similarly to many other RATs, the Orcus threat features password retrieval and key logging functionality. Additionally, the malware offers a plugin which can be used to perform Distributed Denial of Service (DDoS) attacks.
The security experts noticed that the hackers have made some changes to the contents of the website distributing the Orcus RAT (bltcointalk.com, which tries to imitate Bitcoin forum bitcointalk.org). Besides, they removed the aforementioned image file from the website posting a ZIP file instead.
The Fortinet team has also found additional websites attempting to imitate legitimate domains by changing a single letter in the URL. For that reason, the experts suggest that the hackers cycle between the websites when switching to a new campaign.
