OrcaKiller: A RAT using Windows Crypto API functions

October 28, 2014

The Dell SonicWall Threats Research team observed reports of a remote access Trojan named GAV: Suspicious#asprotect actively spreading in the wild. A remote access Trojan (RAT) is a malware that includes a back door over the target computer. RATs are usually downloaded invisibly with a user requested program such as a game or sent as an email attachment. Once the target system is compromised, the attacker may use it to distribute RATs to establish a botnet.

OrcaKiller uses Windows Crypto API functions to transfer encrypted communications over its own command and control server making it difficult to be detected.

Infection Cycle:

Md5: f6456b115e325b612e0d144c8090720f

The Trojan adds the following files to the system:

%appdata%MicrosoftProtectS-1-5-21-1645522239-117609710-682003330-500[Random Filename]

Here is a sample of the file:

The Malware uses following functions for encryption and decryption:

Library ADVAPI32.dll:

  • CryptEncrypt
  • CryptReleaseContext
  • GetUserNameA
  • CryptCreateHash
  • CryptHashData
  • CryptDeriveKey
  • CryptAcquireContextA
  • CryptDecrypt
  • CryptDestroyKey
  • CryptDestroyHash
  • CryptGenRandom

Library CRYPT32.dll:

  • CryptBinaryToStringA
  • CryptStringToBinaryA

The malware generates a random number of 6 bytes dynamically and then appends the word OrcaKiller to the end of this string. It uses RC4 and Base64 algorithm for encryption. The RC4 encryption key is derived from an MD5 hash of the randomly generated bytes concatenated with the OrcaKiller string.

Malware Traffic

OrcaKiller has communication over port 443. Uses requests to statically defined IPs are made on a regular basis. These requests such as the following:

The malware uses dynamicity codes on its own Traffic. Here are some details about these codes:

Code 1 & 2: system UID

Code 3: Base64 encrypted Key

Code 4: encrypted User name

Code 5: encrypted IP address

Here is the decrypted HTTP traffic example:

The command and control of Orcakiller appears to serve two purposes.

The first purpose of the malware is to act as a downloader and the second purpose is to work as a backdoor with access to the victim machines command line.

Malware looking for some webpage HTML tags on the traffic.

Here are the HTML commands the malware tries to look for on the HTTP posts and extract the commands or download executable binary files:

The malware uses same encryption key that is sent in the HTTP post string for decryption. After the payload text has been decrypted the malware execute the binary file on the target system.

The malware generates a new encryption key for every post command.

The malware tries to download all these files from its own Command and control server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Suspicious#asprotect