Orcus RAT spread via spam to steal Bitcoin.
Orcus RAT spread via spam to steal Bitcoin.

A remote access trojan is targeting Bitcoin investors using spam emails claiming to advertise a new Bitcoin trading bot called Gunbot but instead spreads an Orcus RAT malware that looks to steal Bitcoin and more.

Orcus is advertised as a Remote Administration Tool but offers features that go above and beyond those of typical RAT's such as the ability to disable the light indicator on webcams so as to not alert the target that it's active. The malware also

While Gunbot is a real product, the advertisement is fake and contains a malicious attachments containing a simple VB Script that when executed downloads a file from a PE binary file, according to a Dec. 7 Fortinet blog post.

Researchers said the threat actors either lacked the technical knowledge and simply bough the components used in the campaign or had had no intension of hiding the malware's behavior based on the comments left in the script which described each step of the codes execution.

It is also possible that researchers don't care about as long as there is someone who double clicks the file without properly inspecting its contents.

“At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures,” researchers said in the post. “After further analysis, however, we found that it is a trojanized version of an open source inventory system tool named TTJ-Inventory System.”

The threat actors used a site designed to imitate the bitcoin forum bitcointalk.org to download the malware disguised as the Gunbot tool which contains a similar trojanized “Inventory System” as well as the VB Script downloader.

Researchers traced the domain and found it to be registered to “Cobainin Enterprises” and found other questionable domains registered to the same domains. The domains used similar names with replaced letters and when accessed, displayed a “We'll be back soon!” message.

Researchers speculate that the threat actors cycle through these sites between their malware campaigns with one of the websites leading to a fake Gunbot site.