New Orcinius Trojan Uses VBA Stomping to Mask Infection



This week, the SonicWall Capture Labs threat research team investigated a sample of Orcinius malware. This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated. It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys.

Infection Cycle

The initial infection method is an Excel spreadsheet, in this case, “CALENDARIO AZZORTI.xls”.

Figure 1: Initial file detection

The file appears to be an Italian calendar with three worksheets that discuss billing cycles in various cities.

Figure 2: One of the visible sheets seen when opened

The file has a VBA macro that has been modified with a technique called ‘VBA stomping’, where the original source code is destroyed, leaving only compiled p-code. This means that viewing the macro within the document will show either nothing or a harmless version of the code that will run when opening (and closing) the file, as Olevba shows.

Figure 3: Olevba tool output showing some of the malicious functionality

On runtime, the file will run the macro and perform the following actions:

  • Check registry keys and write a new key to hide warnings
    • “HKCU\Software\Microsoft\Office\Excel\Security\VBAWarnings”
    • “HKCU\Software\Microsoft\Office\Word\Security\VBAWarnings”
  • Enumerate windows currently running using EnumThreadWindows
  • Set up persistence by writing a key to HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
  • Reach out to both of the encoded URLs and attempt to download using WScript.Shell
  • Use SetWindowsHookEx to monitor keyboard input
  • Create a number of randomized timers for activation and download attempts

Figure 4: Enumerating running windows

Figure 5: Setting a hook for keyboard monitoring

Figure 6: URLs and Synaptics references

There are also references to ‘Synaptics.exe’ and ‘cache1.exe’. This sample and listed URLs have been associated with Remcos, AgentTesla, Neshta, HTMLDropper and others that masquerade as ‘Synaptics.exe’ and can be found on VirusTotal. During runtime, the pages at both addresses were unavailable.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

  • Orcinius







Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.