John Paul Revesz (also known as “Armada”), the Canadian behind the Orcus RAT (a software that been used in various malware attacks), has been charged under Section 342.1 of the Criminal Code on November 8. The specific section is for the unauthorized use of a computer, and at its core, this is what Revesz’s Orcus software does. It takes control of another person’s computer without his knowledge. Revesz claimed that his software is a legitimate remote administrator tool and that his company’s terms of service and end-user agreement state clearly that they don’t allow any misuse of the software.
However, the authorities and cybersecurity experts insisted that Orcus was a remote access Trojan. And its most telltale sign? The software is marketed as such on Dark Web forums. Revesz and his team, investigators said, even offered technical support to clients when infecting machines with malware and covering their online tracks. The team also developed and supported suspicious plugins and functionalities that include:
- The ability to see through a victim’s computer’s webcam with the LED light switched off so victims can’t tell that they are being monitored
- A keylogger that records a victim’s every keystroke
- An anti-debugger and the option to stop the RAT from running inside a virtual machine, allowing clients to evade detection
- The ability to check if a file had been scanned on Virus Total
- A survey bot that makes victims’ devices answer surveys so their owners can get paid in exchange for victims’ answers
- An AdSense injector that hijacks and replaces page ads with the client’s own ads; this plugin can also disable an ad blocker on Chrome
- A USB/.zip/.doc macro spreader that allows clients to infect victims’ devices with a malware
Our Investigative Tool: Threat Intelligence Platform
Since its source code is publicly available, Orcus has become one of the most widespread RATs in use today. As such, experts predict that we are bound to see more Orcus-enabled cyber attacks in the future.
At present, Orcus is used to launch attacks against individuals and organizations, specifically in the financial and government sectors. Like other malware, Orcus is mostly distributed through phishing emails that entice victims to click a seemingly innocent link that redirects them to a page hosted on the attacker’s server. Once connected, a malicious PE32 file masquerading as a PDF file is then dropped onto the victim’s computer.
In several incidents, the attackers used the SendGrid email delivery service to point their victims to their server where Orcus is hosted. However, instead of sendgrid.com, which is SendGrid’s correct domain name, the attackers used the domain sendgrid[.]net.
We ran the real Sendgrid domain sendgrid.com and the one the attackers used, sendgrid[.]net, on our Threat Intelligence Platform (TIP), a tool that can provide useful threat intelligence to organizations, and found that they both belonged to SendGrid, Inc. The domain the attackers used could thus have been explicitly compromised for orchestrating the attack. How can such a breach be addressed? Here are possible issues that SendGrid’s IT specialists can look into:
- Threat actors can impersonate official domains if their HTTP Public Key Pinning (HPKP) headers are not set. HPKP provides an additional layer of protection as it ensures that only browsers that are given a set of public keys can connect to a domain. Sendgrid.com‘s HPKP headers are not set.
- Our comparison also revealed that both sendgrid.com and sendgrid[.]net resolve to the same IP address. If sendgrid[.]net is indeed owned by the same company and has been compromised, it may be a good idea to temporarily severe its ties to its nonmalicious counterpart.
- Our sendgrid[.]net report also found that it redirects to other websites. While there are legitimate reasons for URL redirection, several attackers abuse these to distribute malware or lead victims to malicious sites. It may be wise for SendGrid to scrutinize if the redirects from its domain are valid and are not being manipulated by threat actors for their own gain.
* * *
Threat actors are increasingly using the identity of established organizations in their malicious campaigns. SendGrid, for one, has been used in several phishing attempts already, as revealed by a quick search on Twitter. Law enforcement agencies and judiciary institutions are often abused as well, as evidenced by subpoena-themed phishing emails.
To prevent malware such as Orcus from infecting computers, organizations need to make sure that the entities they are dealing with are not imposters. Due diligence and quick comparisons between network logs and threat intelligence feeds can help them spot anomalies. A tool like Threat Intelligence Platform also allows them to perform regular checks on their own domain to make sure that it is secure from attacks.