Day: August 3, 2016

Traditional antivirus (AV) is not the solution to endpoint security – it is the problem. AV is no longer effective at stopping today’s cyberthreats and to prevent security breaches in your organization, you must protect yourself not only from known and unknown cyberthreats but also from the failures of any traditional AV solutions deployed in your environment. Today, we’reannouncing enhancements to Traps advanced endpoint protection that empower you to replace your AV with real breach prevention.

In this post, I’ll go over some of the enhancements we’ve made to Traps. For a deeper dive, I encourage you to learn more about Traps, its new and updated capabilities, and how it replaces traditional antivirus with true prevention, by downloading the “Protect Yourself From Antivirus” white paper, or by joining our webinar to see Traps in action.

Traps replaces traditional antivirus with a proprietary combination of purpose-built malware and exploit prevention methods that protect users and endpoints from both known and unknown threats. With Traps, you prevent security breaches, in contrast to detecting and responding to incidents after critical assets have already been compromised.

The updated release of Traps eliminates the need for traditional AV by enabling you to:

• Prevent cyber breaches by pre-emptively blocking known and unknown malware, exploits and zero-day threats.
• Protect and enable your users to conduct their daily activities and use web-based technologies without concern for known or unknown cyberthreats.
• Automate breach prevention by virtue of the autonomous reprogramming of Traps using threat intelligence gained from Palo Alto Networks WildFire threat intelligence service.

New and Improved Multi-Method Malware Prevention

Traps prevents malicious executables by maximizing coverage against malware while simultaneously reducing the attack surface and increasing the accuracy of malware detection. This approach combines several layers of protection that instantaneously prevent known and unknown malware from infecting your systems, whether they are online or offline, on-premise or off, connected to your organization’s network or not (Figure 1). Those layers include:

1. Static Analysis via Machine Learning [new]: Obtain an instantaneous verdict on any unknown executable file before it is allowed to run, without reliance on signatures, scanning or behavioral analysis.
2. WildFire Inspection and Analysis [improved]: Rapidly detect unknown malware and automatically reprogram Traps to prevent known malware by leveraging the power of Palo Alto Networks WildFire cloud-based malware analysis environment.
3. Trusted Publisher Execution Restrictions [new]: Identify executable files that are among the “unknown good” because they are published and digitally signed by trusted publishers.
4. Policy-Based Execution Restrictions [improved]: Define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment.
5. Admin Override Policies [improved]: Define policies, based on the hash of an executable file, to control what is allowed to run in your environment and what is not.

Traps also quarantines malicious executables to prevent infected files from spreading to or infecting other users.

The combination of the above methods and capabilities not only prevents both known and unknown malware from compromising your systems but also enables you to fully customize the scope of prevention to meet your organization’s needs.

Improved Multi-Method Exploit Prevention

Traps uses an entirely new approach to prevent exploits. Instead of focusing on the millions of individual attacks, or their underlying software vulnerabilities, Traps focuses on the core exploitation techniques used by all exploit-based attacks. By identifying and pre-emptively blocking any exploitation technique the moment it is attempted, Traps prevents exploits from compromising your applications, including those developed in-house and those that no longer receive security support.

Traps implements a multi-method approach to exploit prevention, combining several layers of protection to block exploitation techniques (Figure 2):

1. Memory Corruption/Manipulation Prevention [improved]: Identify and prevent the exploitation techniques that manipulate your application’s memory space before they can successfully subvert the application.
2. Logic Flaw Prevention [improved]: Recognize and block the exploitation techniques that manipulate the operating system’s normal processes used to support and execute your applications.
3. Malicious Code Execution Prevention [improved]: Identify and prevent the exploitation techniques that allow the attacker’s malicious code to execute, before they compromise your applications.

Traps protects applications and systems, whether or not they receive security patches, and regardless of network connectivity or physical location.

Automated Prevention via the Next-Generation Security Platform

Traps is the only endpoint protection offering that automatically converts the threat intelligence gained from a global community of over 10,000 WildFire subscribers and multiple threat intelligence sources into malware prevention.

When WildFire identifies an executable file as malicious, regardless of where that threat intelligence is gained, Traps automatically reprograms itself to prevent the execution of that file from that moment on. This process all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect your systems because an attacker can use each piece of malware once, at most, anywhere in the world, and only has seconds to carry out an attack before WildFire renders it entirely ineffective.

As part of Palo Alto Networks Next-Generation Security Platform, Traps enables you and your organization to continuously apply the growing threat intelligence gained from thousands of enterprise customers, across both the network and endpoints, to your own environment.

Protect Yourself From Antivirus

• Download the “Protect Yourself From Antivirus” white paper
• Join us for the “Protect Yourself From Antivirus: Introducing the New Traps v3.4” webinar

Michael Moshiri

[Palo Alto Networks Research Center]

Unit 42 has been tracking a new Remote Access Trojan (RAT) being sold for $40 USD since April 2016, known as “Orcus”. Though Orcus has all the typical features of RAT malware, it allows users to build custom plugins and also has a modular architecture for better management and scalability. The objective of this blog is to highlight some of the capabilities of this new RAT family and the impact seen so far.

Background

Before we discuss the details of this RAT family, let’s discuss how Orcus became a commercially sold RAT. Around October 2015, the developer of Orcus, going with the alias of “Sorzus”, posted a thread on a hacker forum about a RAT he was developing, soliciting feedback on how it could be published. The developer had then named the tool as “Schnorchel”, German for “Snorkel”.

Figure 1 Sorzus discusses publishing Orcus

The figure below shows the early versions of Orcus when it was being developed. It is interesting to see that the developer details mentioned on the earlier version indicates “Vincent (Alkalinee)”, and we are also aware that ‘Alkalinee’ was the alias which was being used by the developer before taking the new alias of ‘Sorzus’. (This also suggests that the real name of the Orcus developer may be ‘Vincent’.)

Figure 2 Early version of Orcus which was known as “Schnorchel”

The developer had shared intentions to publish the RAT for free and make it open-source. However, some of the users in the forum responded, advising to make it commercial instead of sharing it for free or making it open source, citing that the source code would eventually be used by others to repackage and sell it as a new RAT. One forum user, alias “Armada”, offered to assist “Sorzus” on helping out with publishing the tool and apparently became Sorzus’ eventual partner.

“Sorzus” and “Armada” are believed to be the two main individuals currently managing the sales and development of Orcus. Brian Krebs published a blog a few weeks ago disclosing details of the individual who has been supposedly known to be the person behind Orcus. Our analysis suggests that ‘Sorzus’ is the main developer of the RAT and ‘Armada’ is mostly responsible for sales and support of the tool.

Architecture

Orcus is developed using C# with the Windows administration/controller component developed using WPS (Windows Presentation Foundation), which is used to render user interfaces in Windows based systems. Orcus has three main components to its architecture: Orcus controller, Orcus Server and the trojan binary which is deployed on a victim machine. The delivery vectors vary, ranging from a spear phishing attack using the malware binary with the email, having a hyperlink with a download link to the Orcus malware binary, or even using drive-by download methods.

In most RAT malware, once a victim has been infected, the malware connects back to the admin panel of the attacker to send data and provide control to the infected machine. However, if a victim machine is infected with an Orcus RAT, it connects back to the Orcus server which does not have the admin panel on it. Orcus has a separate component for the admin panel (Orcus controller) which enables control of all infected machines from the Orcus controller. This set up offers multiple benefits to the cyber criminals using Orcus. For example, they are able to share access to victim machines by accessing a single Orcus server which would enable a group of cyber criminals working together to better manage their infected victim networks and also allow scalability of their Orcus network by deploying multiple ‘Orcus servers’.

Figure 3 Orcus Architecture

The developer not only has a controller build for Windows, but also created an Android app for the admin controller to control the infected machines using an Android device. An Android app for the controller/administration component is also available from Google Play.

Figure 4 Orcus administration component for Android platform

Unique Features

Below are some Orcus features that can enable full control of a victim machine:

• Keylogger
• Screengrabs
• Remote code execution
• Webcam monitor
• Disable webcam light
• Microphone recorder
• Remote administration
• Password stealers
• Denial of Service
• VM Detection
• InfoStealer
• HVNC
• Reverse Proxy
• Registry explorer/editor
• Real Time Scripting
• Advanced Plugin System

Orcus has many common features of a RAT, however the features which are unique and stand out the most is the ‘Plugin System’ and ‘Real time scripting’. The plugin feature allows users of Orcus to build their own plugins or download plugins which have been developed by the author. If a user has basic knowledge on one of the supported programming languages, which are C#, VB.Net or C++, that user can easily extend and write plugins to build on to the current capabilities of Orcus. The author also provides a developer package to create the plugins with an IDE (Integrated Development Environment), which is an application used by programmers to develop programs.

The Orcus sellers also provide very well documented tutorials to create plugins, and also maintain a Github page which has a few sample plugins created. Orcus allows seven different types of plugins to be created. Figure 5 shows the current list of plugin types that can be built.

Figure 5 Types of plugins

The libraries are well documented and are currently being hosted on ‘sharpdox.de’. Sharpdox is a tool to create C# code documentations and can be hosted on ‘sharpdox.de’. Figure 6 shows an example of the methods or functions which are available to the Orcus plugin’s ‘ClientController’ class.

Figure 6 Example of a plugin library documentation

The Real Time scripting feature allows Orcus users to write and execute code (C#, VB.Net) in real time while remotely managing the compromised system.

Figure 7 Real time scripting feature on Orcus

Analysis: Orcus Protections

From an incident responder or threat analyst’s perspective, it is important to understand the type of anti-analysis protections a malware family employs so one is able to build an environment to successfully analyze the malware. This blog is not intended to discuss reverse-engineering the RAT in detail; however, it is interesting to see some of the anti-analysis features which Orcus employs to avoid being detected in a standard analysis environment.

We reverse-engineered one of the Orcus samples seen on a recent attack to check and verify some of the configured features. Given Orcus is developed in C# / VB.Net, we can easily peek into the code using a .NET disassembler. If an Orcus user enables the VMDetection feature while building the malware binary, the malware would check if the malware is running within a virtual machine environment. The virtual machines that Orcus detects are ParallelsDesktop, VirtualBox, VirtualPC and VMWare. The figure below shows the code excerpt for detecting the presence of virtual machines.

Figure 8 Virtual Machine detection in Orcus

Orcus also checks for processes of network monitoring tools like Netmon, TCPView and Wireshark as shown in the figure below.

Figure 9 Detection for network analysis tools

Impact

Figure 10 below shows the trending graph seen in Autofocus on the number of malware download sessions for Orcus. Given the feature rich toolset and the scalability Orcus provides, it is not a surprise that the usage and acceptance of the Orcus RAT is growing among cyber criminals since being first sold early this year. Given the increasing popularity of Orcus, it is likely that we will see more cyber crime campaigns where the RAT of choice is Orcus.

Figure 10 Autofocus graph of Orcus download sessions over time

Conclusion

The individuals behind Orcus are selling the RAT by advertising it as a “Remote Administration Tool” under a supposedly registered business and claiming that this tool is only designed for legitimate business use. However, looking at the feature capabilities, architecture of the tool, and the publishing and selling of the tool in hacker forums, it is clear that Orcus is a malicious tool, and that its target customer is cyber criminals. It’s not uncommon but this is an interesting case where a developer with an initial intention to release the code for free or open source, ends up in collaborating with an individual in a hacker forum who has prior experience in building and selling similar malicious tools, and creates a commercial RAT which has started to gain wide acceptance among cyber criminals with its unique feature set and flexible architecture.

Palo Alto Networks WildFire correctly identifies Orcus as malicious and AutoFocus customers can track this threat using the Orcus tag.

IOCs:

The current list of hashes for Orcus samples can be found on the Unit 42 github page here.

Vicky Ray

[Palo Alto Networks Research Center]