Severity

High

Analysis Summary

In the past few years Orcus was known as Schnorchel, is a Remote Access Trojan with some odd activity. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. The ability of Orcus RAT 

• Keylogging and remote administration 
• Stealing system information and credentials 
• Taking screenshots, recording video from Webcams, recording audio from microphones, and disabling webcam light 
• Executing remote code execution and Denial-of-Service 
• Exploring/editing registry 
• Detecting VMs 
• Reverse Proxying 
• Real-Time Scripting 
• Advanced Plugin System

Government entities, financial services organizations, information technology service providers, and consultancies are the main target sectors of Orcus RAT.

Impact

• Credential Theft
• Financial Loss

Indicators of Compromise

MD5

• a08fef0fb1892c8453749d07c036b834
• 87dc4e9f3bb6d64109e13236c459bd75
• 9da5706dff6effa88b7a41aefd415ef0

SHA-256

• ba93e357204915035785c0081b8bf2d64622ce764b0caea504d0b55ee9713e27
• e7965049e929aeeea681c1b8c4f3108d22b15ce64038fe8a9576ec06198186d7
• ee3a15101a6793b68a547fed19f4c6690f90b58c511da6ba6de48940c697cb8e

SHA-1

• 2bcb1a431a6442fbbd99e001fb4d9cdac365ac25
• c11cd6f5715ffc5e25677be64a211f8bedffdfa9
• d213f92a93bc69ecc009aea3a73746cd9c7561bf

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.
• Do not respond to unexpected emails from untrusted email addresses.