urlscan.io logo urlscan.io
SecurityTrails logo

blog.sonicwall.com Open in urlscan Pro
107.154.76.50  Public Scan

Back to summary
URL: https://blog.sonicwall.com/en-us/2024/06/new-orcinius-trojan-uses-vba-stomping-to-mask-infection/
Submission: On July 08 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div> <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello"> <input type="text" id="s" name="s" value="" placeholder="Search"></div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




NEW ORCINIUS TROJAN USES VBA STOMPING TO MASK INFECTION




By Security News
June 27, 2024


OVERVIEW

This week, the SonicWall Capture Labs threat research team investigated a sample
of Orcinius malware. This is a multi-stage trojan that is using Dropbox and
Google Docs to download second-stage payloads and stay updated. It contains an
obfuscated VBA macro that hooks into Windows to monitor running windows and
keystrokes and creates persistence using registry keys.


INFECTION CYCLE

The initial infection method is an Excel spreadsheet, in this case, “CALENDARIO
AZZORTI.xls”.



Figure 1: Initial file detection

The file appears to be an Italian calendar with three worksheets that discuss
billing cycles in various cities.



Figure 2: One of the visible sheets seen when opened

The file has a VBA macro that has been modified with a technique called ‘VBA
stomping’, where the original source code is destroyed, leaving only compiled
p-code. This means that viewing the macro within the document will show either
nothing or a harmless version of the code that will run when opening (and
closing) the file, as Olevba shows.



Figure 3: Olevba tool output showing some of the malicious functionality

On runtime, the file will run the macro and perform the following actions:

 * Check registry keys and write a new key to hide warnings
   * “HKCU\Software\Microsoft\Office\Excel\Security\VBAWarnings”
   * “HKCU\Software\Microsoft\Office\Word\Security\VBAWarnings”
 * Enumerate windows currently running using EnumThreadWindows
 * Set up persistence by writing a key to
   HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
 * Reach out to both of the encoded URLs and attempt to download using
   WScript.Shell
 * Use SetWindowsHookEx to monitor keyboard input
 * Create a number of randomized timers for activation and download attempts



Figure 4: Enumerating running windows



Figure 5: Setting a hook for keyboard monitoring



Figure 6: URLs and Synaptics references

There are also references to ‘Synaptics.exe’ and ‘cache1.exe’. This sample and
listed URLs have been associated with Remcos, AgentTesla, Neshta, HTMLDropper
and others that masquerade as ‘Synaptics.exe’ and can be found on VirusTotal.
During runtime, the pages at both addresses were unavailable.


SONICWALL PROTECTIONS

To ensure SonicWall customers are prepared for any exploitation that may occur
due to this malware, the following signatures have been released:

 * Orcinius


IOCS

28dd92363338b539aeec00df283e20666ad1bdee90d78c6376f615a0b9481f97


URLS

www-env.dropbox-dns[.]com

hxxps://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

hxxps://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-06-27 09:10:042024-06-27 09:25:09New Orcinius Trojan Uses VBA
Stomping to Mask Infection


RECOMMENDED CYBER SECURITY STORIES

Floki Bot a Zeus based banking Trojan actively spreading in the wild (Dec 15,
2016)
Fake Amazon order - New Zbot variant (May 14, 2010)
SkyStars ransomware, variant of BlackMoon banking trojan encrypts with no
recovery note
Apple QuickTime JPEG 2000 Integer Underflow (Jan 18, 2012)
Deceptive PDF Disguised as RingCentral Leads to Phishing Attacks
Tepfer Infostealer Trojan being actively spammed (Nov 16, 2012)
Zeroshell command injection vulnerability
MS Windows Media Player Integer Overflow (Oct 23, 2009)
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * The Hidden Danger of PDF Files with Embedded QR CodesJuly 3, 2024 - 9:15 am
 * High-Risk Path Traversal in SolarWinds Serv-UJuly 3, 2024 - 8:58 am
 * Not If, But When: The Need for a SOC and Introducing the...July 1, 2024 -
   9:26 am
 * New Orcinius Trojan Uses VBA Stomping to Mask InfectionJune 27, 2024 - 9:10
   am

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

A Deep Dive Into DarkME Rat Malware Not If, But When: The Need for a SOC and
Introducing the SonicWall European...




PIN IT ON PINTEREST


Scroll to top