SunOrcal
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 3 |
| First Seen: | January 19, 2011 |
| Last Seen: | June 3, 2020 |
| OS(es) Affected: | Windows |
The SunOrcal threat first emerged back in 2013. Throughout the years, the operators of the SunOrcal malware have introduced several major updates. One of the most recent key updates was released in 2017 – the cyber crooks established a C&C (Command & Control) server hosted on the GitHub platform. Another major change was the introduction of steganography, as the SunOrcal threat could now make use of this installation technique. This hacking tool is known to have been used against several organizations located in Myanmar, as well as well-known Tibetan activists.
The SunOrcal malware uses a basic technique to make sure that two implants will not run on the same network. As soon as the threat is launched, it will check for the presence of a specific mutex on the infected host - if a match is found, it still halt the execution. If a match is not found, it will proceed to create a mutex with the same name and continue with its attack. Next, the SunOrcal threat will unpack and decrypt contents, which would enable it to download certain configuration data needed to complete the attack, such as:
- A link to the GitHub-based C&C server.&
- The port utilized for communication.
- The address of the C&C server.
- A URL from which the threat can fetch additional malicious payloads.
The GitHub profile linked to this attack exists under the username 'NordicMyth.' The user in question is hosting some innocent-looking 'README' files. However, one of them appears to have an encrypted string within it, that will not be visible at first glance. The SunOrcal threat uses this particular string when executing the attack. Next, the SunOrcal malware may download an additional payload that appears to be delivered in the shape of a 'BMP' file. The 'BMP' file in question utilizes the previously mentioned steganography technique, which allows it to contain hidden code. When the SunOrcal threat decodes the content of the 'BMP' file, it proceeds with the attack by spawning a DLL (Dynamic Link Library), which will help it complete the attack.
The use of steganography points at a highly-skilled group of cybercriminals that is able to carry out complex operations.
