Security News

ORCA, Remote Access Trojan

By

Overview:

The SonicWall Capture Labs Threat Research Team, recently discovered the “ORCA” remote access Trojan. ORCA, allows an attacker to manipulate various processes and services from the command line. The attacker can execute arbitrary commands allowing the capability to upload and download files along with various other tasks involving the file system.

The following IP addresses and DNS information are seen after the Trojan executes itself.

adda.lengendport.com
tsl.gettrials.com
auty.organiccrap.com

11.38.64.251
123.120.99.228
147.96.68.184
176.31.24.184
202.2.108.142
203.146.251.11
213.147.54.170
23.19.39.19
62.73.174.134
71.183.67.163
91.198.50.31

Static Information:

Encryption Routine & Key:

Inside Ida Pro, we can locate the following key information for how this Trojan was named. Inside function “401200” we see the following xor routine:

By using the byte array “byte_40A060” as a key to the xor routine. We can now decode the information:

  • 0x06 ^ 0x49 = 0x4f = O
  • 0x30 ^ 0x42 = 0x72 = r
  • 0x2E ^ 0x4D = 0x63 = c
  • 0x2D ^ 0x4C = 0x63 = a
  • 0x24 ^ 0x6F = 0x4B = K
  • 0x1D ^ 0x74 = 0x69 = i
  • 0x19 ^ 0x75 = 0x6C = l
  • 0x1F ^ 0x73 = 0x6C = l
  • 0x28 ^ 0x4D = 0x65 = e
  • 0x21 ^ 0x53 = 0x72 = r

String: “OrcaKiller”

The “OrcaKiller” Trojan calls the Windows Crypto API to generate a pseudo random number of around 6 bytes.
This random generated number concatenates itself to the string “OrcaKiller”. We now have “[6 bytes]OrcaKiller”.
With both parts of the generated string known. The Trojan now uses this information to encrypt other pieces of information.

Network Information

The following image shows the dns, header content and type along with the port number used by the Trojan

The Trojan looks for specific sets of HTML tags. The first set can be seen in the image below as “P” and the terminating tag “/P”. Once the Trojan has found the correct tags it drops in to the first command and control function. It then extracts the payload text between the HTML tags and runs it through the decryption routine. The same encryption key used above is used to decrypt the text. Once the payload text has been decrypted the Trojan treats this as a binary executable file, which is then written to the disk and executed.

Summary of Capabilities:

  • System/network information gathering
  • Keystroke logging
  • Screenshots
  • File upload/download/execute
  • Command shell

SonicWall Gateway AntiVirus, provides protection against this threat:

GAV: Orca.RAT_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage for May 2018
New Screen Lock Ransomware poses as Microsoft License Manager (Sept 9, 2011)
Heur.CFG A Malware Uses Encryption to Hide Its Intentions
Waledac Valentine cards (February 19, 2009)
3CX Desktop App compromised in a supply chain attack
MySQL Denial of Service Vulnerabilities (Sep 9, 2010)
SAP GUI Heap Overflow Vulnerability (Jan 08, 2009)
Redis Heap Buffer Overflow Vulnerability