SunOrcal

SunOrcal is a backdoor Trojan tied to attacks against entities of interest to the Chinese government, such as the so-called 'Five Poisons' or neighboring nations traditionally. Like any other backdoor Trojan, it may help attackers control your PC, transfer information off it, and install different threats. Primary defenses should focus on removing SunOrcal promptly with anti-malware tools and maintaining vigilance against phishing e-mails.

The Slowly-Widening Nets of Traditional Trojan Wars

SunOrcal is a backdoor Trojan that can get lost in the seas of similar, reconnaissance-based threats in Asia easily. With tangible connections to threats like Reaver and Surer, it should surprise no readers that SunOrcal is known for attacks against entities that might criticize or oppose the Chinese government, like Tibetans, Falun Gong practitioners or Uyghurs. Updates to SunOrcal make it more apparent that the Trojan's use isn't a niche one necessarily, as 2017 shows its revamped activities in further-away nations.

The SunOrcal backdoor Trojan's primary purpose is helping attackers maintain control over the PC. It may do so by:

• Downloading other threats and installing them (possibly including Reaver or old versions of itself)
• Uploading files containing passwords or other information to the attacker's server
• Modifying files with actions such as deleting, moving opening or editing
• Executing arbitrary commands (through Powershell, CMD or other methods)

However, elements of newer samples of SunOrcal show that it's not a static or stagnant tool. More recent attacks deploy it against the government of Myanmar and Vietnam, which are not the usual targets of local China-attributed hacking groups. Besides broadening its target criteria, SunOrcal updates include some semi-creative techniques for obfuscation, which abuse GitHub and picture-formatted files.

SunOrcal's GitHub exploit involves 'reading' a Norse mythology document on the website, which includes an embedded and twice-XORed link to a C&C domain. The second trick hides a DLL file inside of a fake BMP, with, again, XOR encoding for protecting its contents.

Putting Out the Sun that Shines Too Bright on Your Network

The art of hiding data inside of pictures, or steganography, is less novel than in the past. Threats such as the MyKings Botnet, Okrum, and Stegoloader make equally-competent use of it for attacking victims and concealing C&C activity. Without these measures, even experienced threat actors leave their servers at risk of countermeasures, including relatively simplistic firewall defenses.

As an Internet equivalent of 'living off the land,' Trojans also are abusing the free hosting of GitHub more and more often. Besides SunOrcal, cryptocurrency trackers like the EvilEgg and CoinTicker combination, and different Molerats campaigns, show the various applications of the site. While these techniques are no longer shocking, they continue helping SunOrcal, and threats like it, conceal their network activities and identifiable characteristics.

Users should concentrate on watching e-mails for possible phishing attacks, which are the likeliest means of an eventual SunOrcal infection. E-mails may include corrupted attachments with victim-specific information, such as regional news. Updated and trustworthy anti-malware tools usually will flag these Trojan droppers as threatening and remove them immediately.

As hackers flex their muscles, a homebody Trojan is gaining the confidence to wander throughout Asia. What SunOrcal will get up to next is worth wondering, and the answer may continue to surprise everyone.