• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • February 28th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

Bitcoin investors targeted by Orcus RAT in new phishing campaign

December 8th, 2017 Waqas Security, Malware 0 comments
Bitcoin investors targeted by Orcus RAT in new phishing campaign
Share on FacebookShare on Twitter

Bitcoin has turned out to be one of the most valuable cryptocurrencies in the world with over $15,000 (€13,170) current value. This is great news for those who invested in Bitcoin but even better news for hackers and other malicious elements.

Old RAT new capabilities

While Bitcoin’s value is up to the sky, cyber threats against its investors are also gaining momentum. Recently, the researchers at IT security firm Fortinet discovered a new sophisticated phishing campaign in which attackers are using Orcus remote access trojan (RAT) to target Bitcoin investors by offering Gunbot, a bot developed by GuntherLab (also known as Gunthy) for Bitcoin trading.

However, originally, the phishing email comes with an attached .zip file called “sourcode.vbs” (VB script) and contains Orcus RAT aiming at stealing personal data and investments of unsuspecting users. Once downloaded, the file extension suggests it is a JPEG image file, but actually, it is an executable file. Researchers imply that cybercriminals behind the scam had no intention of hiding their behavior or had no intention to do so as far as a victim executes the file and falls for the scam.

Bitcoin investors targeted by Orcus RAT in new phishing campaign

Fake email that attackers are sending using @bltcolntalk.org email to trick users as if the email cames from Bitcointalk, a Bitcoin forum. Credit: Fortinet

According to a blog post by Floser Bacurio and Joie Salvio of Fortinet “At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures. After further analysis, however, we found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System.”

“As we dug deeper into the decompiled code, we found an access reference to a big chunk of data named “Mastering” from a resource named “DVDImageBurn.” It contains encrypted binary data from a resource name “Mastering” that will be decrypted using a hardcoded key. As it turns out, this data is another .NET PE executable that is loaded and executed directly to memory.”

“To make sure that only one instance of the malware is running, the system checks for the existence of a mutex named “dgonfUsV.” Before the malware proceeds to its main payload, it first checks to see if it’s running from the path %APPDATA%\Roaming\Microsoft\Windows\DwiDesk\nethost.exe. If not, it creates a copy of itself in the said directory and executes from there instead,” explained researchers.

What can Orcus do

Orcus developers have been advertising it as a Remote Administration Tool (RAT) for Windows since 2016 with all the features a RAT software should have however it is also capable of running plugins and execute C# and VB.net code on the remote machine in real-time. One of those plugins can be used to conduct Distributed Denial of Service (DDoS) attacks.

Furthermore, Orcus is also equipped with keylogging capabilities that let attackers steal everything a victim types on their device. It can disable the light indicator on webcams and monitor victim’s activities without trigging any alert moreover Orcus can implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process.

“In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”

Bitcoin investors watch out

Bitcoin users should watch out for this threat especially now when Bitcoin wallets are being constantly attacked. Do not click links without verifying them, do not open unknown emails and never download or open attachments.

Remember, just a couple of days ago hackers stole more than $70 million of Bitcoin after hacking entire wallet of NiceHash cryptocurrency mining market. In last five months, there have been seven successful data breaches Against cryptocurrency platforms. In case you are looking for safely storing cryptocurrency here is a list of 5 safest Bitcoin wallets.

  • Tags
  • Bitcoin
  • Cryptocurrency
  • Cyber Crime
  • Fraud
  • hacking
  • Malware
  • Orcus
  • Phishing
  • RAT
  • Scam
  • security
  • TROJAN
Facebook Twitter LinkedIn Pinterest
Previous article Man who threw away $121m of Bitcoin wants to dig up landfill site
Next article Researcher finds pre-installed keylogger in hundreds of HP laptops
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Microsoft release open-source CodeQL queries to hunt SolarWinds hacks

Microsoft release open-source CodeQL queries to hunt SolarWinds hacks

Hackers using malicious Firefox extension to phish Gmail credentials

Hackers using malicious Firefox extension to phish Gmail credentials

Botnet Abusing Bitcoin Blockchain To Evade Detection

Botnet Abusing Bitcoin Blockchain To Evade Detection

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Microsoft release open-source CodeQL queries to hunt SolarWinds hacks
Microsoft

Microsoft release open-source CodeQL queries to hunt SolarWinds hacks

Hackers using malicious Firefox extension to phish Gmail credentials
Security

Hackers using malicious Firefox extension to phish Gmail credentials

Apple Glass may feature 3D Audio and Self-Cleaning in new patent
Technology News

Apple Glass may feature 3D Audio and Self-Cleaning in new patent

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us