3 Lifehacks While Analyzing Orcus RAT in a Malware Sandbox

We Keep you Connected

3 Lifehacks While Analyzing Orcus RAT in a Malware Sandbox

Orcus is a Remote Access Trojan with some distinctive characteristics. The RAT allows attackers to create plugins and offers a robust core feature set that makes it quite a dangerous malicious program in its class.
RAT is quite a stable type that always makes it to the top.
That’s why you’ll definitely come across this type in your practice, and the Orcus family specifically. To simplify your analysis, we have collected 3 lifehacks you should take advantage of. Here we go.
Definition. Orcus RAT is a type of malicious software program that enables remote access and control of computers and networks. It is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks.
Capabilities. Once downloaded onto a computer or network, it begins to execute its malicious code, allowing the attacker to gain access and control. It is capable of stealing data, conducting surveillance, and launching DDoS attacks.
Distribution. The malware is usually spread via malicious emails, websites, and social engineering attacks. It is also often bundled with other malicious software programs, such as Trojans, worms, and viruses.
The malware is designed to be difficult to detect, as it often uses sophisticated encryption and obfuscation techniques to prevent detection. And if you need to get to the core of Orcus, the RAT configuration has all the data you need.
And there are several lifehacks that you should pay attention to while performing the analysis of Orcus RAT.
Today we investigate the .NET sample that you can download for free in ANY.RUN database:

You should start with checking malware classes where you can get the hidden program’s characteristics. A bunch of data that classes contain is exactly what will be helpful for your research.
An Orcus.Config namespace has these classes:

Once you dive into the Settings class, you can notice the GetDecryptedSettings method. Later, it calls out the AES.Decrypt. And it looks like your job is done and the malware configuration is finally found. But hold on – the assembly doesn’t contain an Orcus.Shared.Encryption namespace.
Orcus RAT stores additional assemblies inside the malware resources using a ‘deflate’ algorithm. You can go to the resources to find the necessary assembly. Unpacking them will let you reveal the decryption algorithm that an Orcus sample uses. That brings one more lifehack for today.
Our treasure hunt goes on, as configuration data is encrypted.
Orcus RAT encrypts data using the AES algorithm and then encodes the encrypted data using Base64.
How to decrypt data:

As a result of decoding, we get the malware configuration in the XML format. And all Orcus secrets are in your hands now.
Malware analysis is not a piece of cake, it definitely takes time and effort to crack a sample. That’s why it’s always great to cut the line: get all at once and in a short time. The answer is simple – use a malware sandbox.
ANY.RUN malware sandbox automatically retrieves configuration for the Orcus RAT. It’s a much easier way to analyze a malicious object. Try it now – the service has already retrieved all data from this Orcus sample, so you can enjoy smooth research.

The Orcus RAT masquerades as a legitimate remote administration tool, although it is clear from its features and functionality that it is not and was never intended to be. Analysis of the malware helps to get information for the cybersecurity of your company.
Protect your business from this threat – implement a comprehensive security strategy, train employees to recognize and avoid malicious emails and websites, and use reliable anti-virus and ANY.RUN malware sandbox to detect and analyze Orcus.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.