{"id":14995,"date":"2019-04-02T07:17:02","date_gmt":"2019-04-02T15:17:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/04\/02\/news-8744\/"},"modified":"2019-04-02T07:17:02","modified_gmt":"2019-04-02T15:17:02","slug":"news-8744","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/02\/news-8744\/","title":{"rendered":"Canadian Police Raid ‘Orcus RAT’ Author"},"content":{"rendered":"

Credit to Author: BrianKrebs| Date: Tue, 02 Apr 2019 14:50:11 +0000<\/strong><\/p>\n

Canadian police last week raided the residence of a Toronto software developer responsible for authoring and selling \u201cOrcus RAT<\/strong>,\u201d a software product that\u2019s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate\u00a0R<\/strong>emote\u00a0A<\/strong>dministration\u00a0T<\/strong>ool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a\u00a0R<\/strong>emote\u00a0A<\/strong>ccess\u00a0T<\/strong>rojan.<\/p>\n

\"\"<\/a><\/p>\n

An advertisement for Orcus RAT.<\/p>\n<\/div>\n

As\u00a0first detailed by KrebsOnSecurity in July 2016<\/a>, Orcus is the brainchild of\u00a0John \u201cArmada\u201d Rezvesz<\/strong><\/a>, a Toronto resident who until recently maintained and sold the RAT under the company name\u00a0Orcus Technologies<\/strong>.<\/p>\n

In an \u201cofficial press release\u201d\u00a0posted to pastebin.com<\/a>\u00a0on Mar. 31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the\u00a0Royal Canadian Mounted Police<\/strong>\u00a0(RCMP) and the\u00a0Canadian Radio-television and Telecommunications Commission<\/strong>\u00a0(CRTC).<\/p>\n

\u201cIn this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices,\u201d Rezvesz wrote. \u201cData inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more.\u201d<\/p>\n

Reached via email, Rezvesz declined to say whether he was arrested in connection with\u00a0the search warrant<\/a>, a copy of which he shared with KrebsOnSecurity. In response to an inquiry from this office, the RCMP stopped short of naming names, but said \u201cwe can confirm that our National Division Cybercrime Investigative Team did execute a search warrant at a Toronto location last week.\u201d<\/p>\n

The RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of \u201ca series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users\u2019 consent and can lead to the subsequent installation of other malware and theft of personal information.\u201d<\/p>\n

\u201cThe CRTC executed a warrant under Canada\u2019s Anti-Spam Legislation (CASL) and the RCMP National Division executed a search warrant under the Criminal Code respectively,\u201d reads\u00a0a statement<\/a>\u00a0published last week by the Canadian government. \u201cTips from international private cyber security firms triggered the investigation.\u201d<\/p>\n

Rezvesz maintains his software was designed for legitimate use only and for system administrators seeking more powerful, full-featured ways to remotely manage multiple PCs around the globe. He\u2019s also said he\u2019s not responsible for how licensed customers use his products, and that he actively kills software licenses for customers found to be using it for online fraud.<\/p>\n

Yet the\u00a0list of features and plugins<\/a>\u00a0advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.<\/p>\n

\u201cIt can also implement a watchdog that restarts the server component or even trigger a Blue Screen of Death (BSOD) if the someone tries to kill its process,\u201d wrote researchers at security firm Fortinet in\u00a0a Dec. 2017 analysis of the RAT<\/a>. \u201cThis makes it harder for targets to remove it from their systems. These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.\u201d<\/p>\n

As KrebsOnSecurity noted in 2016<\/a>, in conjunction with his RAT Rezvesz also sold and marketed a bulletproof \u201cdynamic DNS service\u201d that promised not to keep any records of customer activity.<\/span><\/p>\n

Rezvesz appears to have a flair for the dramatic, and has periodically emailed this author over the years. Sometimes, the missives were taunting, or\u00a0vaguely ominous and threatening. Like the time he reached out to say he was hiring a private investigator to find and track me. Still other unbidden communications from Rezvesz were friendly, even helpful with timely news tips.<\/p>\n

According to Rezvesz himself, he is no stranger to the Canadian legal system. In June 2018, Rezvesz shared court documents indicating he has been involved in multiple physical assault charges since 2007, including “7 domestic disputes between partners as well as incidents with his parents.”<\/p>\n

\u201cI am not your A-typical computer geek, Brian,\u201d he wrote in a 2018 email. \u201cI tend to have a violent nature, and have both Martial arts and Military training. So, I suppose it is really good that I took your article with a grain of salt instead of actually really getting upset.\u201d<\/p>\n

\"\"<\/a><\/p>\n

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts remotely administer computers. However, these tools tend to be viewed by prosecutors as malware and spyware\u00a0when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and to evade detection by anti-malware programs.<\/p>\n

Last year, a 21-year-old Kentucky man\u00a0pleaded guilty<\/a>\u00a0to authoring and distributing a popular hacking tool called \u201cLuminosityLink<\/strong>,\u201d which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.<\/p>\n

Also in 2018, 27-year-old Arkansas resident\u00a0Taylor Huddleston<\/strong>\u00a0was\u00a0sentenced to three years in jail<\/a>\u00a0for making and selling the \u201cNanoCore RAT<\/strong>,\u201d which was being used to spy on webcams and steal passwords from systems running the software.<\/p>\n

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using \u201cBlackshades<\/strong>,\u201d a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.<\/p>\n

Earlier this year, Rezvesz posted on Twitter<\/a> that he was making the source code for Orcus RAT publicly available, and that he was focusing his attention on developing a new and improved RAT product.<\/p>\n

Meanwhile on Hackforums[.]net \u2014 the forum where Orcus was principally advertised and sold \u2014 members and customers expressed concern that authorities would soon be visiting Orcus RAT customers, posts that were deleted almost as quickly by the Hackforums administrator.<\/p>\n

As if in acknowledgement of that concern, in the Pastebin press release published this week Rezvesz warned people away from using Orcus RAT, and added some choice advice for others who would follow his path.<\/p>\n

\u201cOrcus<\/span>\u00a0is no longer to be considered safe or secure solution to Remote Administrative needs,” he wrote, pointing to\u00a0a screenshot<\/a> of a court order he says came from one of the police investigators, which requires him to abstain from accessing Hackforums or Orcus-related sites. “Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson.\u00a0Stay safe, don\u2019t do stupid shit.\u201d<\/p>\n

https:\/\/krebsonsecurity.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: BrianKrebs| Date: Tue, 02 Apr 2019 14:50:11 +0000<\/strong><\/p>\n

Canadian police last week raided the residence of a Toronto software developer responsible for authoring and selling \u201cOrcus RAT,\u201d a software product that\u2019s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate\u00a0Remote\u00a0Administration\u00a0Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a\u00a0Remote\u00a0Access\u00a0Trojan.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10642],"tags":[16695,21441,16696,21442,8419],"class_list":["post-14995","post","type-post","status-publish","format-standard","hentry","category-independent","category-krebs","tag-breadcrumbs","tag-john-rezvesz","tag-neer-do-well-news","tag-orcus-rat","tag-rcmp"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14995","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14995"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14995\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14995"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}