In the computer realm, a Trojan refers to malicious software that hides its true intent to the target victim. Taken from the Greek mythology that tells the fall of the city of Troy through the use of a deceptive Trojan Horse, such malware is disguised to look unsuspicious.
There are many types of Trojans, and their impact is severe. As a malware entity, it can cause harm to both the user and the device. In this article, we will focus on Orcus RAT (Remote Access Trojan).
About Orcus RAT
Orcus RAT is a computer virus that is spread through sophisticated campaigns. This malware highly targets Bitcoin investors in an attempt to swingle their finances. It emerged in 2016 and has since managed to hit several locations across the globe. This threat can cause serious financial losses and identity theft.
A Twitter user who goes by the name Armada was investigated after spreading the Trojan as a genuine Remote Administration Tool. While she was being investigated upon, an increased number of infected computers was recorded within the UK and Canada. The spread of this virus is done through spear-phishing email campaigns and via drive-by-downloads.
What Does the Orcus RAT Do?
When Orcus RAT finds a host, it runs the process called PK Holdings.exe from the Task Manager. It then accesses and configures registry entries and activates an advanced system plug-in and other dubious activities. The goal is to eventually allow the perpetrator to take full control of the system remotely. When this happens, the cybercriminal begins to harvest the victim’s banking details, capture keystrokes, record videos via the webcam, as well as raid Bitcoin wallets. Eventually, the victim suffers huge financial losses.
The US and the Canadian regions have been the prime target of Orcus RAT. Regardless, cybersecurity experts indicate that the malware also managed to hit other parts of the sphere. The perpetrator of this Trojan started selling the malware in 2016 for $40. The seller also provided tutorials on how to use the virus to less experienced users when attacking other computers. The instructions included the use of dubious MS Office documents laced with macros, scripts, or CVE-2017-8759 exploits.
In 2018, the virus attacks emerged again, this time targeting US taxpayers through phishing campaigns. The Orcus RAT got distributed as a bundle with Netwire. The Trojan went on to resurface in 2019, but at that time, it used a new distribution strategy that hid the RAT in a Coca-Cola Ramadan-themed video. Regardless of the sort of campaign used, the goals and functionalities of the RAT are the same – obtain financial gains and acquire banking credentials.
The content presented when deceiving the user via email to access the attached malicious content is as follows:
Dear Sir Madam, Good day!
We are trading company in Taiwan with business line of Lathe and CNC Machines, ELECTRICAL, BOLT & NUTS in this regard, Please kindly refer to the following items and offer your best quotation as soon as possible, thank you.
- C.I.F Kaohsiung Port Taiwan
- By air .1 By sea separately
- Do you need photo of name plate for this Machines Attached?
Kindly revert with price asap. Attached is Our Operating Certificate / License and Order for Specification and references
If you have any question, don’t hesitate to contact me.
PROTOM MACHINERY TOOLS LTD.
55 Chin Shan South Road Sec. 2
Taipei, Taiwan 10603 TAIWAN, R. 0. C.
Please to consider the environment before printing this e-mail
To achieve these goals, the developer of Orcus RAT equipped the malware with these capabilities:
- Execute DDoS attacks
- Take over the webcam functionality and disable its activity light
- Take a video and audio using system resources
- Acquire vital system information
- Take snapshots
- Harvest passwords and browser cookies
Among these activities, the only one that can be noticed is a disabled webcam’s activity light. Other functionalities of this RAT are executed in the background making it difficult for an average computer user to recognize its existence. To detect this RAT, you must run powerful anti-malware security software.
How to Remove Orcus RAT?
What makes it difficult to deal with the Orcus RAT is that the virus penetrates sacred areas of the computer. It manipulates the registry entries and plants various processes into the system. Therefore, even if you remove the program from the system, the perpetrator may still gain access to it using the roots left behind. If such processes exist in your computer, they can consume a lot of CPU power and system resources. This is why you should consider using an automatic utility in conjunction with a manual option.
Orcus RAT Removal Instructions
The manual removal process is complicated compared to the automatic one. Therefore, we advise using the automatic solution if your computer skills are not as advanced. However, if you want to use the manual approach, the initial step to take is to identify the name of the Trojan you wish to get rid of. Once you have done that, you can proceed and initiate the removal process as shown below:
Step1: Enter Safe Mode with Networking
- Press Windows + I keys to launch the Settings app.
- Now, check for Update & Security and click on it.
- Hover to the left pane and select Recovery.
- Click the Restart Now option under the Advanced Startup section.
- Click Troubleshoot before selecting Advanced options.
- Now, choose Startup Settings before pressing the Restart option.
- Select option 5) Enable Safe Mode with Networking.
Step 2: End Suspicious Processes from the Task Manager
- Press Ctrl + Alt + Delete and click Task Manager to launch the utility.
- Now, click More details and then scroll down to the section labelled Background processes. Check among the list of processes if there are any suspicious ones.
- Right-click on any dubious process and select Open file location.
- Head back to the Task Manager and right-click on the suspicious processes. This time, select End task.
- Repeat Steps 3 and 4 to all dubious processes.
- When done, go to all opened file locations and delete the contents.
- Now, go to the Startup tab and identify the suspicious program. Right-click and select Disable.
Step 3: Get Rid of Virus Files
Malware files can be detected in different locations within your system. Follow these instructions to find them:
- Press the Windows key and type Disk Cleanup before hitting the Enter button.
- Choose the storage drive you wish to clean (we advise selecting the one that you installed the operating system on, for instance, drive C).
- Under Files to delete, check the following:
- Temporary Internet Files
- Recycle Bin
- Temporary files
- When done, you can check other locations that usually host malicious content such as:
When done, you can reboot the system in normal mode.
Use Automatic Solution to Get Rid of Orcus RAT
The most effective method to get rid of the Orcus Trojan is to use strong and reliable anti-malware security software. Reliable security utilities update their data on time to detect the latest malware content. So, you must consider a reputable company to ensure you get rid of all malware in your system once and for all.
Download the security program from its official site and install it. Once done, run the program and select the Full Scan option. Wait for the program to finish scanning the entire system and display all flagged content. Choose the recommended action to Quarantine / Remove malware.
Even though Orcus Technologies were fined CAD 115 000 for the spread of Orcus RAT, it hasn’t stopped the spread of the virus. It is still lethal and must be dealt with immediately to avoid severe damage and loss. We advise users to keep a strong anti-malware security program running in the background to obtain real-time protection. Also, it is a security measure to keep all your software updated to benefit from the latest security patches.