Bitcoin investors targeted by Orcus RAT in new phishing campaign

Bitcoin has turned out to be one of the most valuable cryptocurrencies in the world with over $15,000 (€13,170) current value. This is great news for those who invested in Bitcoin but even better news for hackers and other malicious elements.

Old RAT new capabilities

While Bitcoin’s value is up to the sky, cyber threats against its investors are also gaining momentum. Recently, the researchers at IT security firm Fortinet discovered a new sophisticated phishing campaign in which attackers are using Orcus remote access trojan (RAT) to target Bitcoin investors by offering Gunbot, a bot developed by GuntherLab (also known as Gunthy) for Bitcoin trading.

However, originally, the phishing email comes with an attached .zip file called “sourcode.vbs” (VB script) and contains Orcus RAT aiming at stealing personal data and investments of unsuspecting users. Once downloaded, the file extension suggests it is a JPEG image file, but actually, it is an executable file. Researchers imply that cybercriminals behind the scam had no intention of hiding their behavior or had no intention to do so as far as a victim executes the file and falls for the scam.

Bitcoin investors targeted by Orcus RAT in new phishing campaign
Fake email that attackers are sending using email to trick users as if the email cames from Bitcointalk, a Bitcoin forum. Credit: Fortinet

According to a blog post by Floser Bacurio and Joie Salvio of Fortinet “At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures. After further analysis, however, we found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System.”

“As we dug deeper into the decompiled code, we found an access reference to a big chunk of data named “Mastering” from a resource named “DVDImageBurn.” It contains encrypted binary data from a resource name “Mastering” that will be decrypted using a hardcoded key. As it turns out, this data is another .NET PE executable that is loaded and executed directly to memory.”

“To make sure that only one instance of the malware is running, the system checks for the existence of a mutex named “dgonfUsV.” Before the malware proceeds to its main payload, it first checks to see if it’s running from the path %APPDATA%\Roaming\Microsoft\Windows\DwiDesk\nethost.exe. If not, it creates a copy of itself in the said directory and executes from there instead,” explained researchers.

What can Orcus do

Orcus developers have been advertising it as a Remote Administration Tool (RAT) for Windows since 2016 with all the features a RAT software should have however it is also capable of running plugins and execute C# and code on the remote machine in real-time. One of those plugins can be used to conduct Distributed Denial of Service (DDoS) attacks.

Furthermore, Orcus is also equipped with keylogging capabilities that let attackers steal everything a victim types on their device. It can disable the light indicator on webcams and monitor victim’s activities without trigging any alert moreover Orcus can implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process.

“In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”

Bitcoin investors watch out

Bitcoin users should watch out for this threat especially now when Bitcoin wallets are being constantly attacked. Do not click links without verifying them, do not open unknown emails and never download or open attachments.

Remember, just a couple of days ago hackers stole more than $70 million of Bitcoin after hacking entire wallet of NiceHash cryptocurrency mining market. In last five months, there have been seven successful data breaches Against cryptocurrency platforms. In case you are looking for safely storing cryptocurrency here is a list of 5 safest Bitcoin wallets.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.