Hackers Exploit Dropbox & Google Docs to Unleash Devastating Orcinius Malware

Researchers investigated a multi-stage trojan, Orcinius, which utilizes Dropbox and Google Docs to download additional malicious payloads and maintain updates. 

The trojan leverages an obfuscated VBA macro to establish a hook within the Windows system, enabling it to monitor active windows and user keystrokes. To ensure persistence, Orcinius manipulates registry keys. 

An attacker utilizes a VBA macro hidden within an Excel spreadsheet named “CALENDARIO AZZORTI.xls” to launch an attack. The macro employs VBA stomping, a technique that obliterates the original source code, leaving behind only the compiled p-code. 

Initial file detection

This obfuscation renders standard macro viewers ineffective, as they display either nothing or a benign version of the code. Consequently, the malicious code executes upon opening and closing the spreadsheet. 

The macro executes upon file launch, modifying the registry to suppress VBA warnings in Excel and Word. It then retrieves a list of running processes and establishes persistence by adding itself to Excel’s startup routine. 

Enumerating running windows

Encoded URLs are decoded and downloaded via WScript.Shell, while a keyboard hook is installed to monitor user input. To ensure continued execution, the macro creates randomized timers, triggering both further downloads and potential reactivations. 

An analysis report by SonicWall indicates malicious activity linked to the files “Synaptics.exe” and “cache1.exe,”  which are commonly used by malware to disguise themselves, with this instance potentially being Remcos, AgentTesla, Neshta, HTMLDropper, or a similar threat. 

URLs and Synaptics references

While the specific URLs mentioned in the report were unavailable during the analysis, the suspicious behavior of the files suggests they may be malware attempting to infiltrate the system.

Olevba tool output showing some of the malicious functionality

IOCs, which are potential indicators of compromise, and URLs that are suspicious are included in the information that has been provided. 

The IOC is a hash value, possibly a file hash, that could be used to identify malicious software, while the URLs are suspect due to their domain names and path structures. 

The first URL, “[www-env.dropbox-dns[.]com]”, deviates from the legitimate Dropbox domain and might be used for phishing or malware distribution. 

The second and third URLs contain obfuscated characters (“hxxps” instead of “https”) and non-standard Dropbox paths, potentially leading to malicious content disguised as Google Docs or a compressed file.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here