In late June 2024, cybersecurity experts were on high alert as a new and dangerous threat emerged in the form of the Orcinius Trojan. Uncovered by the SonicWall Capture Labs threat research team, this Trojan is a complex and stealthy multi-stage malware that takes advantage of vulnerabilities in Microsoft Excel and relies on cloud storage services as part of its operations. Named after killer whales, known for their power and intelligence, Orcinius lived up to its name by posing a significant risk to cybersecurity professionals.
The Orcinius Trojan primarily spreads through phishing emails that appear to be from legitimate sources, enticing victims to open a seemingly harmless Excel spreadsheet. Disguised as a calendar application, this file contains a malicious VBA macro that starts the infection process. What sets Orcinius apart from other malware is its use of advanced obfuscation techniques, including ‘VBA stomping’, which conceals the true functionality of the malware and makes it difficult to detect until it’s too late.
The targets of Orcinius are vast, including information and individuals who fall victim to its deceptive tactics. The Trojan operates by initiating infections through phishing emails that contain malicious Excel spreadsheets, with the embedded VBA macro using ‘VBA stomping’ to hide its nefarious activities. Once the victim opens the file and enables macros, Orcinius is activated and begins its malicious operations.
Upon execution, Orcinius employs various tactics to carry out its malicious activities. It uses the VBA macro to modify registry settings, create persistence through registry keys, and set up keystroke logging to capture sensitive information like login credentials. The Trojan also masquerades as legitimate files to evade detection and communicates with cloud storage services for data exfiltration and downloading additional payloads.
To further classify Orcinius’s tactics, it aligns with several MITRE techniques. From initial access through phishing emails to executing commands through script interpreters and creating persistence through registry keys and system processes, Orcinius follows a sophisticated playbook to ensure its survival and data exfiltration. The Trojan’s ability to obfuscate its code and masquerade as legitimate files adds layers of complexity to its evasion tactics, making it a formidable adversary for cybersecurity professionals.
In conclusion, the Orcinius Trojan represents a significant threat in the cybersecurity landscape, showcasing a high level of sophistication and adaptability. Its multi-faceted approach to infection and data exfiltration poses a danger to both individual users and organizations, emphasizing the critical need for robust cybersecurity measures and awareness to combat such threats effectively.