13
Nov 19

Orcus RAT Author Charged in Malware Scheme

In July 2016, KrebsOnSecurity published a story identifying a Toronto man as the author of the Orcus RAT, a software product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. This week, Canadian authorities criminally charged him with orchestrating an international malware scheme.

An advertisement for Orcus RAT.

The accused, 36-year-old John “Armada” Revesz, has maintained that Orcus is a legitimate “Remote Administration Tool” aimed at helping system administrators remotely manage their computers, and that he’s not responsible for how licensed customers use his product.

In my 2016 piece, however, several sources noted that Armada and his team were marketing it more like a Remote Access Trojan, providing ongoing technical support and help to customers who’d purchased Orcus but were having trouble figuring out how to infect new machines or hide their activities online.

Follow-up reporting revealed that the list of features and plugins advertised for Orcus includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.

Canadian investigators don’t appear to be buying Revesz’ claims. On Monday the Royal Canadian Mounted Police (RCMP) announced it had charged Revesz with operating an international malware distribution scheme under the company name “Orcus Technologies.”

“An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a ‘Remote Access Trojan’ type of virus,” the agency said in a statement.

The RCMP filed the charges eight months after executing a search warrant at Revesz’ home, where they seized several hard drives containing Orcus RAT customer names, financial transactions, and other information.

“The evidence obtained shows that this virus has infected computers from around the world, making thousands of victims in multiple countries,” the RCMP said.

Revesz did not respond to requests for comment.

If Revesz’s customers are feeling the heat right now, they probably should be. Several former customers of his took to Hackforums[.]net to complain about being raided by investigators who are trying to track down individuals suspected of using Orcus to infect computers with malware.

“I got raided [and] within the first 5 minutes they mention Orcus to me,” complained one customer on Hackforums[.]net, the forum where Revesz principally advertised his software. That user pointed to a March 2019 media advisory released by the Australian Federal Police, who said they’d executed search warrants there as part of an investigation into RAT technology conducted in tandem with the RCMP.

According to Revesz himself, the arrests and searches related to Orcus have since expanded to individuals in the United States and Germany.

The sale and marketing of remote administration tools is not illegal in the United States, and indeed there are plenty such tools sold by legitimate companies to help computer experts remotely administer computers.

However, these tools tend to be viewed by prosecutors as malware and spyware when their proprietors advertise them as hacking devices and provide customer support aimed at helping buyers deploy the RATs stealthily and evade detection by anti-malware programs.

Last year, a 21-year-old Kentucky man pleaded guilty to authoring and distributing a popular hacking tool called “LuminosityLink,” which experts say was used by thousands of customers to gain access to tens of thousands of computers across 78 countries worldwide.

Also in 2018, 27-year-old Arkansas resident Taylor Huddleston was sentenced to three years in jail for making and selling the “NanoCore RAT,” which was being used to spy on webcams and steal passwords from systems running the software.

In many previous law enforcement investigations targeting RAT developers and sellers, investigators also have targeted customers of these products. In 2014, the U.S. Justice Department announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a cheap and powerful RAT that the U.S. government said was used to infect more than a half million computers worldwide.

It’s remarkable how many denizens of various hacking forums persist in believing that an end-user licensing agreement (EULA) or “terms of service” (TOS) disavowing any responsibility for what customers do with the product somehow absolves sellers of RAT programs of any liability when they then turn around and actively assist customers in using the tools to infect systems with malware.

Tags: , , , , , , , , ,

33 comments

  1. Suggestion: If you don’t want people to think your selling a RAT don’t use an image of a snarky rat hoarding over bitcoin as your logo.

  2. This caused me to remember that really old film scene of Edward G. Robinson (I think) pronouncing “You dirty rat!” at some other mobster….

  3. Why did it take 3 1/2 years to charge this guy?

    • Arresting him right away would have likely sent the other rats scurrying.

    • It likely took that much time to gather enough evidence and compile it into a case that has a high chance of a successful conviction. A court case is not cheap and one that fails could be a lot more expensive.

      There’s also the possibility of using a lot of that time to find the identities of other suspects.

      • The most expensive of all is one that returns a not guilty verdict, at which point he gets to walk away.

        They only try to get those when prosecutors are forced by the public to bring cases against LEOs.

  4. The Sunshine State

    Interesting read ,clearly this John “Armada” Revesz, guy is lower then vermin !

  5. Is this that dude who dressed up as a ninja on FB and thought he was a badass?

    Thank god this finally happened! Dude was beyond annoying and ignorant.

  6. Yah, I would probably think twice before buying any software that abbreviates to a RAT. Or at least if you’re that stupid and need it so much, don’t use your actual name and pay with Bitcoin 🙂

    As for the authors of that malware, when will they learn that if you live in a Western country it’s probably not going to work to try to get away with selling it? For that you need to move to China or Russia.

  7. Armada’s been smug throughout all this too. He seriously thinks he did no wrong and that by just barely skirting the rules he’s somehow operating above the law.

  8. How did he get caught?
    Any court documents to show the evidence they have against him?
    It’s an important detail for these types of posts that you sometimes don’t include.

    • It’s also a detail other potential criminals would want to get their hands on, particularly given how many of them may also be under active investigation as a part of this scheme.

      There’s a reason the public isn’t privy to every tiny detail in criminal cases.

      • It doesn’t work like that lmao, they have to provide evidence in court and these documents are public, sure they won’t say anything while investigating but once hes charged it’s all on the table, it has to be or no case lol.

        And for “criminals” you speak of, they don’t care at all, they laugh at these people how they caught, the evidence is usually something like “used domain with email connected to real life” or “logged in using home ip”.

    • I didn’t include that information because it was the subject of the story I linked to in the first sentence of the article

      https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/

      • Haha, so he got caught because he used his real life email to sign up for all his domains, and left clues all over his personal youtube channel? what a amateur :D, email accounts and domain registration? That’s baby gagabooboo stuff, everyone knows to create a new email and account for every sign up and use tor with fake registration details + pay with XMR hehe.
        You know your opsec sucks when you don’t even need a badge or warrant to discover these little noobs!
        Love these articles krebs, take them down!!!

        • He thought his “legal” loophole would shield him, that is why he used his name. When he ends up owing hundreds of thousands in legal fees trying to keep out of jail, he will probably realize it was a bad idea.

  9. They should set up police with a IP computer check point type system and every raid or warrant issued test for unverified IP location points or rats present in system I think there is a much bigger issue than they really know about.

  10. I am actually glad to see this happen. There are few more “TOOLS” to be dealt with. However, I dont think hackforums is the only problem here. I remember it of being really really blackhat few since 2009 and up. But in the last few years things are sorting out. I think investigations should consider carder and black market forums, as hackforums became mostly a skids forum that got refereed from google by typing HOW TO HACK FACEBOOK. Also, Armada was an as*hole, so I am really glad this has happened. I just hope he does not get away with it again. Thanks for the info Brian.

  11. is funny how a public and open to anyone forum like hackforums is called an UNDERGROUND forum. Even the owner of hf is known and has it as a registered business .

  12. This Armada guy was such an assh0le. Im glad he get what he deserves.

  13. Back in the early days of the net when we weren’t as aware of the dangers I got infections twice, both times I lost everything in my PC. Seeing things like this makes me so happy!

  14. This guy used my opensource software to build this thing. As a security engineer I wasn’t too happy to find that out.

    http://deniable.org/reversing/cracking-orcus-rat

  15. i keep coming again and again to your site to read such informative articles. Great job. Best regards

  16. I would rather have seen a comparison of how this product is different from any of the other commercial RATs that are sold/distributed? Hundreds come to mind, metasploit, cobalt strike, silent trinity, empire, core impact, etc. Each of those come with defensive evasions and several have been used illegitimately. Where’s the line between those intended for research/security testing and maliciousness? Wheres the protections for those who intentions are legit…not implying this guys intentions were, as I dont know.

    • Yes, and malware/zero day exploits are sold to governments to use on us, there is no visible line, they just decide when they want to arrest people basically that simple.

  17. The RCMP have had it in for this guy since the last time they leaked to KOS. About time they finally took it to a court, so he can get a fair trial, instead of him living under a cloud of innuendo.

    I predict acquittal.

  18. Omerta, Respect, Hats off, etc.

    >>> the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners.

    The “blanket immunity” so consistently offered by prosecutors, pimps and procurators to these sleeping beauties is not helping the problems caused by the present worldwide system of crime and punishment which appears to all intents and purposes to be applicable to male subjects only.

    It is the same tired old trope, “All men are rapists,” used so often by the political left to justify the arbitrary criminal adjudication of men and the continued trafficking of women to favored clients.

Leave a comment