Multiple malicious campaigns actively targeting government and financial entities around the world have been spotted while backdooring their victims' computers using Revenge and Orcus Remote Access Trojans (RAT).
All these separate campaigns are linked together by several unique tactics, techniques, and procedures (TTPs) including but not limited to command and control (C2) infrastructure obfuscation, analysis evasion, and persistence techniques leveraged by fileless malware strains.
As the Cisco Talos researchers who made this discovery further found, a threat actor has been using Revenge RAT and Orcus RAT payloads as part of ongoing "malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies."
Revenge RAT is a publicly available RAT released during 2016 on the Dev Point hacking forum, known to be capable of opening remote shells, to allow the attacker to manage system files, processes, registry, and services, to log keystrokes, to dump victims' passwords, and to access the webcam, among many others.
Orcus was advertised as a Remote Administration Tool since early 2016 but given that it also has Remote Access Trojans capabilities it is now also considered to be a malicious tool capable of loading custom plugins.
RAT payloads and obfuscated C2 infrastructure
The campaigns' operators use Dynamic Domain Name System (DDNS) to conceal their C2 servers, a popular method of hiding command and control infrastructure also observed in the case of other attacks deploying RATs on targeted machines.
However, the bad actors behind these series of attacks add an extra level of refinement by also pointing the DDNS "to the Portmap service to provide an additional layer of infrastructure obfuscat ..
Support the originator by clicking the read the rest link below.
