The process begins with a phishing email, as it happens in most cases. The body talks about new software to perform the mining and carry out the management of the coins. The name is Gunbot and is developed by GuntherLab, or at least, that is indicated in the mail. But the reality is very different. When the user accesses the link to start the download, what will actually be saved on the computer is the Orcus installer, the threat that concerns us. Security experts have found situations in which a compressed file containing a VisualBasic script programmed to download a camouflaged application in the form of a JPEG is attached to the email itself. Several security companies have carried out the analysis of the attack, indicating that the cybercriminals have not made much effort to hide their claims.
Details about Orcus
Once the download is complete, the executable executes the installation of an open-source tool that allows inventories of the computer at the operating system level. Harmless? No. Its code has been modified to perform the decryption of an attached .NET code that will be loaded directly into memory. This utility has the point in favour of loading modules in memory that goes completely unnoticed in the face of security tools. Needless to say, the attack is focused on computers with Windows operating system. Once all the Orcus modules have been initialized, the person at the other end has total control over the equipment and the information that is being introduced.
Orcus functions
It is a RAT, that is, a Trojan that allows remote access to the device. Security experts have conducted a comprehensive analysis of the threat. It allows the attacker to execute commands with the privileges of the account that is being used in the system. It has the keylogger function, to fill in the information entered through the keyboard. Another feature that has drawn attention is the possibility to disable the LED of the webcam. Another available function is the use of the equipment to carry out denial of service attacks. It has even been detected that it is able to modify the proxy settings of the web browsers of the system to redirect the user to false web pages. And not only that even the infected computers are controlled from a single server. Security experts urge users to take precautions when downloading content, especially because in the Orcus case, the threat activity is not detected by the security tools since it is a legitimate software that has been modified. So, what do you think about this? Simply share your views and thoughts in the comment section below.