ORCA, Remote Access Trojan



The SonicWall Capture Labs Threat Research Team, recently discovered the “ORCA” remote access Trojan. ORCA, allows an attacker to manipulate various processes and services from the command line. The attacker can execute arbitrary commands allowing the capability to upload and download files along with various other tasks involving the file system.

The following IP addresses and DNS information are seen after the Trojan executes itself.


Static Information:

Encryption Routine & Key:

Inside Ida Pro, we can locate the following key information for how this Trojan was named. Inside function “401200” we see the following xor routine:

By using the byte array “byte_40A060” as a key to the xor routine. We can now decode the information:

  • 0x06 ^ 0x49 = 0x4f = O
  • 0x30 ^ 0x42 = 0x72 = r
  • 0x2E ^ 0x4D = 0x63 = c
  • 0x2D ^ 0x4C = 0x63 = a
  • 0x24 ^ 0x6F = 0x4B = K
  • 0x1D ^ 0x74 = 0x69 = i
  • 0x19 ^ 0x75 = 0x6C = l
  • 0x1F ^ 0x73 = 0x6C = l
  • 0x28 ^ 0x4D = 0x65 = e
  • 0x21 ^ 0x53 = 0x72 = r

String: “OrcaKiller”

The “OrcaKiller” Trojan calls the Windows Crypto API to generate a pseudo random number of around 6 bytes.
This random generated number concatenates itself to the string “OrcaKiller”. We now have “[6 bytes]OrcaKiller”.
With both parts of the generated string known. The Trojan now uses this information to encrypt other pieces of information.

Network Information

The following image shows the dns, header content and type along with the port number used by the Trojan

The Trojan looks for specific sets of HTML tags. The first set can be seen in the image below as “P” and the terminating tag “/P”. Once the Trojan has found the correct tags it drops in to the first command and control function. It then extracts the payload text between the HTML tags and runs it through the decryption routine. The same encryption key used above is used to decrypt the text. Once the payload text has been decrypted the Trojan treats this as a binary executable file, which is then written to the disk and executed.

Summary of Capabilities:

  • System/network information gathering
  • Keystroke logging
  • Screenshots
  • File upload/download/execute
  • Command shell

SonicWall Gateway AntiVirus, provides protection against this threat:

GAV: Orca.RAT_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.