Canada’s broadcasting agency fine the company behind Orcus malware
The Canadian transmission agency has fined a company that sold malware with 115,000 Canadian dollars (approximately 87,000 US dollars).
The fine was imposed by the Canadian Radio Television and Telecommunications Commission (CRTC) to Orcus Technologies, a company that sold a remote access Trojan (RAT) called Orcus.
According to an investigation conducted by the CRTC, together with the help of the cybercrime division of the Royal Canadian Mounted Police (RCMP), the company was founded in March 2016 by a Toronto-based man named John Paul Revesz (also known like Ciriis McGraw, Armada, Angelis, among other aliases) and a German man named Vincent Leo Griebel (also known as Sorzus).
Griebel developed the malware and Revesz provided marketing, sales and support for the software.
Online, the duo claimed to provide a remote management tool, similar to TeamViewer and other remote management applications.
"The evidence obtained in the course of the investigation allowed the Director of Compliance and Compliance (CCEO) to conclude that the Orcus RAT was not the typical administration tool that Griebel and Revesz claimed, but was, in fact, a remote access Trojan (RAT), a known type of malware, "the CRTC said last week.
The CRTC said the duo sold and helped malicious actors install Orcus RAT without consent on other people's computers.
In addition, the duo also ran a Dynamic Domain Name Server (DDNS) service that helped malware communicate with infected hosts without revealing the real IP address of the hacker.
Criminal investigation also ongoing
The CRTC fine is only part of the investigation currently in progress in Canada, and probably the least severe. The RCMP filed criminal charges against Revesz last month, in November.
The RCPM said they began an investigation and have been tracking Orcus Technologies since July 2016, when the Orcus RAT began appearing on the radar of cybersecurity experts.
This reporter was the first to publish an article about malware in July 2016, when the Orcus team began announcing malware in a piracy forum, and Orcus began distributing through malspam campaigns (malicious spam) .
After the article, Revesz defended the Orcus RAT on Twitter, claiming that his tool was a mere remote administration application, against all available evidence.
Revesz's absurd arguments, the use of a pseudonym (Navy), a penchant for advertising in piracy forums and a careless approach to dealing with reports of abuse won him no fanatic or indulgence in the cybersecurity industry .
As a result of these disputes on Twitter, several cybersecurity experts and companies filed complaints with the Canadian authorities. Revesz could not maintain his anonymity either. Ten days later, investigative journalist Brian Krebs tracked Armada (Revesz) and revealed his real name and location to the world in general.
A month later, a report by the cybersecurity firm Palo Alto Networks appeared, with a conclusion that firmly classified Orcus as malware, rather than a legitimate application, ending Revesz's arguments for a legitimate business. We quote:
"The people behind Orcus are selling the RAT by advertising it as a & # 39; Remote Administration Tool & # 39; in a supposedly registered business and claiming that this tool is designed for legitimate business use only. However, by observing the capabilities of the characteristics, the architecture of the tool, and the publication and sale of the tool in hackers forums, it is clear that Orcus is a malicious tool and that its target customer is cybercriminals. "
Image: ZDNet
The 2016 complaints against Orcus Technologies and its tool resulted in the RCMP opening an investigation. The CRTC, the FBI and the Federal Police of Australia joined in the following years.
In March 2019, the RCMP executed an arrest warrant at the Rivesz residence, while Australian police executed separate arrest warrants across Australia, allegedly aimed at Orcus RAT buyers.
At HackForums, the place where Revesz primarily promoted the Orcus RAT, users complained of being assaulted after the crackdown on buyers in March 2019.
Image: ZDNet
In a NoV (Violation Notice), the CRTC said they "obtained a list of Orcus RAT buyers based in Canada and abroad," that they and other investigators plan to continue searching.
While Revesz and his German conspirator created the Orcus RAT, malware buyers are as guilty as the two, being the ones who really infected the victims.
Over the years, cybersecurity firms have reported that they saw Orcus deployed in large business networks, to help with data theft or against regular users, as a form of spyware and stalkerware.
Being a RAT, Orcus provided full access and control over an infected host. Features included:
- Obtaining administrative privileges;
- Record keystrokes;
- Extract passwords from other applications;
- Activate the webcam and microphone without notification;
- Install other applications;
- Hide the presence of malware in one system and many others.
Gloss