SunOrcal

The SunOrcal threat first emerged back in 2013. Throughout the years, the operators of the SunOrcal malware have introduced several major updates. One of the most recent key updates was released in 2017 – the cyber crooks established a C&C (Command & Control) server hosted on the GitHub platform. Another major change was the introduction of steganography, as the SunOrcal threat could now make use of this installation technique. This hacking tool is known to have been used against several organizations located in Myanmar, as well as well-known Tibetan activists.

The SunOrcal malware uses a basic technique to make sure that two implants will not run on the same network. As soon as the threat is launched, it will check for the presence of a specific mutex on the infected host - if a match is found, it still halt the execution. If a match is not found, it will proceed to create a mutex with the same name and continue with its attack. Next, the SunOrcal threat will unpack and decrypt contents, which would enable it to download certain configuration data needed to complete the attack, such as:

• A link to the GitHub-based C&C server.&
• The port utilized for communication.
• The address of the C&C server.
• A URL from which the threat can fetch additional malicious payloads.

The GitHub profile linked to this attack exists under the username 'NordicMyth.' The user in question is hosting some innocent-looking 'README' files. However, one of them appears to have an encrypted string within it, that will not be visible at first glance. The SunOrcal threat uses this particular string when executing the attack. Next, the SunOrcal malware may download an additional payload that appears to be delivered in the shape of a 'BMP' file. The 'BMP' file in question utilizes the previously mentioned steganography technique, which allows it to contain hidden code. When the SunOrcal threat decodes the content of the 'BMP' file, it proceeds with the attack by spawning a DLL (Dynamic Link Library), which will help it complete the attack.

The use of steganography points at a highly-skilled group of cybercriminals that is able to carry out complex operations.