Orcinius | |
Type of Malware | Trojan |
Country of Origin | Turkey |
Targeted Countries | Italy |
Date of Initial Activity | 2024 |
Associated Groups | Remcos |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Type of Information Stolen | Login credentials |
Targeted Systems | Windows |
Overview
In late June 2024, the cybersecurity landscape witnessed a new and formidable threat: the Orcinius Trojan. Discovered by the SonicWall Capture Labs threat research team, Orcinius represents a sophisticated multi-stage malware designed to exploit vulnerabilities in Microsoft Excel and leverage cloud storage services for its operations. This Trojan, named after the powerful orcas, or killer whales, draws parallels with its namesake by exhibiting a high level of stealth and complexity, making it a significant concern for cybersecurity professionals.
The primary distribution method for Orcinius involves phishing emails that appear to come from legitimate sources, enticing victims to open a seemingly harmless Excel spreadsheet. This file, disguised as a calendar application, contains a malicious VBA macro that initiates the infection process. What sets Orcinius apart is its use of advanced obfuscation techniques, including ‘VBA stomping,’ which effectively conceals the malware’s true functionality from conventional detection methods. This approach ensures that the macro’s nefarious actions remain hidden until it is too late.
Targets
Information
Individuals
How they operate
The infection typically begins through phishing emails that contain a seemingly benign Excel spreadsheet, such as one purportedly related to billing cycles. The spreadsheet, however, harbors a malicious VBA macro embedded using a technique known as ‘VBA stomping.’ This technique obfuscates the original macro code, leaving behind only compiled p-code that is challenging to analyze. When the victim opens the file and enables macros, the Trojan is activated, setting the stage for its nefarious activities.
Once executed, Orcinius employs the Command and Scripting Interpreter tactic by leveraging the VBA macro to perform various malicious operations. The macro is programmed to perform tasks such as modifying registry settings to suppress warnings about VBA macros, thus avoiding detection. It also establishes persistence by creating registry keys that ensure the Trojan’s continued execution on system startup. Additionally, Orcinius uses Windows API functions to enumerate running processes and set up keystroke logging, capturing sensitive user input to steal credentials and other private data.
To further evade detection, Orcinius utilizes obfuscation techniques and masquerades as legitimate files. The VBA stomping method effectively hides the malicious code, making it difficult for security tools to identify and analyze the Trojan. The malware disguises itself as a seemingly harmless Excel file, thereby tricking users into enabling macros. It also employs randomized timers for activation and download attempts, which complicates efforts to trace its activities and mitigate its impact.
The Trojan’s command and control operations involve exfiltrating stolen data and downloading additional payloads from cloud storage services like Dropbox and Google Docs. Orcinius communicates with these external sources to transfer collected data and receive updated instructions or further malicious payloads. This multi-faceted approach highlights the Trojan’s sophistication and its capacity to adapt and persist within an infected environment, posing a significant threat to both individual users and organizations alike.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566): Orcinius is delivered through phishing emails containing a malicious Excel spreadsheet.
User Execution (T1203): The victim is tricked into opening the Excel file and enabling macros, which initiates the malware.
Execution:
Command and Scripting Interpreter (T1059): The VBA macro in the Excel file uses scripting to execute malicious commands.
Scheduled Task/Job (T1053): Orcinius may create scheduled tasks to ensure its persistence and execution.
Persistence:
Registry Run Keys / Startup Folder (T1547.001): The Trojan writes registry keys to ensure it runs on system startup, specifically targeting Excel and Word security settings.
Create or Modify System Process (T1543): It might create or alter processes to maintain its presence on the infected system.
Defense Evasion:
Obfuscated Files or Information (T1027): Orcinius employs ‘VBA stomping’ to obfuscate its macro code, making detection by security tools more challenging.
Masquerading (T1036): The malware disguises itself as a legitimate file, such as an Italian calendar spreadsheet, to avoid detection.
Credential Access:
Input Capture (T1056): Orcinius utilizes keystroke logging to capture sensitive information like login credentials.
Command and Control (C2):
Exfiltration Over Command and Control Channel (T1041): The Trojan communicates with cloud storage services such as Dropbox and Google Docs to exfiltrate stolen data and download additional payloads.