Skip to content
Nuclei Templates

Orcus RAT Trojan - Detect

ID: orcus-rat-trojan

Severity: info

Author: pussycat0x

Tags: network,c2,ir,osint,cti,orcus,rat,tcp

Description

Section titled “Description”

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository.

YAML Source

Section titled “YAML Source”
id: orcus-rat-trojan


info:
  name: Orcus RAT Trojan - Detect
  author: pussycat0x
  severity: info
  description: |
    Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository.
  reference:
    - https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:'Orcus RAT Trojan'
  tags: network,c2,ir,osint,cti,orcus,rat,tcp


tcp:
  - inputs:
      - data: 160301007e0100007a03036609c7af2b4c85eaf3675a276eeee7025342c2e03855f07f7622645e02f49fb1000010130113021303002f000a00130039000401000041002b0009080303030203040300000d001a0018040106010403060308040806080708080809080b02010203003300020000000a000c000a001700180019001d0100
        type: hex


    host:
      - "{{Hostname}}"
    port: 10134
    read-size: 1024


    matchers:
      - type: word
        words:
          - "OrcusServerCertificate0"
# digest: 490a00463044022053efcd2d8be1157b6c3d102e0149f4b4054b539681c9e63ffe2ef9017bba357402205d3e96246daea972842c3c4c93fc20fde3a5a89dfb4f832b5d1e86e9b7e55266:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "network/c2/orcus-rat-trojan.yaml"

View on Github