Notice of Violation: Orcus Technologies
INVESTIGATION INTO THE ORCUS RAT
The Canadian Radio-television and Telecommunications Commission is responsible for the administration of sections 6 to 46 of Canada’s Anti-Spam Legislation (the Act or CASL)Footnote1 , and the Compliance and Enforcement sector of the Commission investigates potential violations of the Act.
In February 2018, the Electronic Commerce Enforcement division of the CRTC opened a formal investigation into the activities of Orcus Technologies, a general partnership created in March 2016 for the purpose of carrying out software development and networking activities. Orcus Technologies developed, distributed, promoted, and sold a Remote Administration Tool under the name Orcus RAT.
Vincent Leo Griebel (a.k.a. Sorzus), a German national, developed the Orcus RAT, while John Paul Revesz (a.k.a. Ciriis McGraw, Armada, Angelis, among other aliases) provided marketing, sales and support for the software. Griebel and Revesz are the only two partners behind Orcus Technologies General Partnership.
Evidence obtained in the course of the investigation allowed the Chief Compliance and Enforcement Officer (CCEO) to conclude that the Orcus RAT was not the typical administration tool Griebel and Revesz claimed it to be, but was in fact a Remote Access Trojan, a known type of malware. As a result, the CCEO has determined that both Griebel and Revesz have contravened section 9 of the Act by aiding malicious actors to install the Orcus RAT without consent, in the course of commercial activity, on computer systems located in Canada.
Based on the evidence gathered, the CCEO has further determined that Revesz contravened section 9 of the Act through the sale of a Dynamic Domain Name Server (DDNS) service from 2016 to 2019. This DDNS service was used by hackers to communicate with infected computers systems, in Canada and abroad.
In order to promote compliance with CASL, the CCEO has issued two Notices of Violation to Mr. Revesz and Mr. Griebel, the partners of Orcus Technologies, pursuant to section22 of the Act, with a total administrative monetary penalty of $115,000. The recipients of the Notices of Violation have 30 days to file representations to the Commission or pay the penalty.
- THE INVESTIGATION
Following the launch of the inquiry into Orcus Technologies, Commission staff purchased the Orcus RAT in order to conduct a technical analysis. This analysis determined that the Orcus RAT was a Remote Access Trojan (RAT), a known type of malware. The analysis also demonstrated that the computer program included the following features, which would allow an administrator to, among other things:
- Disable the notification when the RAT is installed;
- Hide its presence on the victim’s computer through different techniques;
- Force administrative privileges;
- Record keystrokes;
- Activate the webcam and microphone without notification; and
- Recover passwords.
RATs are a particularly pernicious type of malware that allows an individual to take full administrative control of another person’s system through a remote network connection, without their express consent or knowledge. After the installation of a RAT, intruders have the ability to use the victim’s computer as if it were their own, including accessing confidential information (for instance, login credentials), monitoring user behavior through keyloggers and webcam activation, and exploiting the computer system for their own purpose, such as mining cryptocurrency or spreading malware and viruses.
Remote administration tools have many lawful uses and RATs typically mimic the functionality of these legitimate programs. The difference between the two categories of software lies in the fact that RATs are designed specifically for stealth installation and operation, longevity or persistence, as well as for the infliction of harm. In other words, RATs are by nature designed to be installed on computer systems without the express consent of their owners, which in the course of commercial activity, is contrary to section 8 of CASL.
The true operation of the Orcus RAT involves an attacker sending a client file, also referred to as a binary, to an unsuspecting victim and infecting that person’s computer. The client and the controller then connect to the Orcus server which transmits the attacker’s commands to the victim’s machine, and the responses of the victim’s computer back to the attacker.
The Orcus RAT has attracted the attention of several reputable cybersecurity researchers, firms and journalists around the world, all of whom are in agreement about its malicious nature:
PaloAlto Networks: “The individuals behind Orcus are selling the RAT by advertising it as a “Remote Administration Tool” under a supposedly registered business and claiming that this tool is only designed for legitimate business use. However, looking at the feature capabilities, architecture of the tool, and the publishing and selling of the tool in hacker forums, it is clear that Orcus is a malicious tool, and that its target customer is cyber criminals.”
Krebs on Security: “Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.”
In order to verify compliance with the Act and determine if Revesz and Griebel engaged in activities contrary to CASL, Commission staff used the formal information gathering tools available under the Act. A number of Notices to Produce were issued to third party industry participants located in Canada and abroad, pursuant to section 17 of the Act. In addition, Commission staff executed a warrant in coordination with the Royal Canadian Mountain Police, to enter Revesz’s place of residence, gathering important information to support the investigation. The CRTC also collaborated with the Federal Bureau of Investigation and the Australian Federal Police, who were conducting separate, but parallel investigations.
- INSTALLATION OF A COMPUTER PROGRAM WITHOUT CONSENT
- The Orcus RAT Command and Control Server (C2)
Under section 8 (1) of CASL, “a person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system […], unless the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5).”
During the course of its investigation and following the review of information obtained from numerous third party sources, including cyber security firms, Internet Service Providers, and Web hosters, Commission staff identified a Canadian IP address associated with a Virtual Private Server (VPS) where an Orcus RAT C2 was observed. An examination of the contents of the VPS revealed that an Australian individual was operating two different Orcus servers on his Canadian based VPS.
The evidence obtained in the course of the investigation, including information found on the Canadian based VPS, demonstrated that the Australian had installed the Orcus RAT on over 900 computer systems worldwide, 23 of which were located in Canada, in the course of commercial activity and without the consent of the owners, contrary to section 8 of CASL. The evidence gathered shows that the Orcus RAT C2 contained financial login information and credentials for hundreds of victims worldwide.
The Australian’s single purchase of the Orcus RAT resulted in the known infection of over 900 computer systems. In the course of the investigation, Commission staff gathered information indicating that the Orcus RAT was sold at least 1300 times. While the total number of computers systems infected with the Orcus RAT remains unknown, based on the results of this investigation, it is expected to be considerable in scope.
- Malicious Domain Hosting Facilitated by Revesz’s DDNS Service
On May 22, 2019, Palo Alto Networks sent Commission staff a list of 66 malware samples which it had observed to be connecting to nullroute[.]pw. This domain was registered by Revesz on January 4, 2016 under the moniker Ciriis McGraw, a known alias.
These 66 malware samples constitute evidence that John Paul Revesz’s DDNS service was used to redirect calls from a number of well-known RATs (including Luminosity Link, Nanocore, Imminent Monitor, and Dark Comet) to their respective C2s. Commission staff determined that one subdomain belonging to Revesz’s DDNS service pointed back to a Canadian IP address allocated to a resident located in the Greater Toronto Area between January 2016 and January 2018.
A review of Revesz’s communications obtained during the execution of the warrant revealed that an individual operating under the moniker Erick.Smith41 purchased Revesz’s DDNS service, which was linked by a number of public malware repositories to malicious cyber activity.
Commission staff concluded that a number of individuals used Revesz’s DDNS service to install different types of RATs on computer systems, in the course of commercial activity, without express consent, contrary to section 8 of CASL.
- The Orcus RAT Command and Control Server (C2)
- AIDING IN THE COMMISSION OF ACTS CONTRARY TO SECTION 8 OF THE ACT
Under section 9 of CASL, it is “prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8”. Section 9 of CASL addresses ways in which persons may contribute to contraventions of CASL without committing the violations directly. As set out in Compliance and Enforcement Information Bulletin CRTC 2018-415, Guidelines on the Commission’s approach to section 9 of Canada’s anti-spam legislation (CASL), Section 9 of CASL may apply to individuals and organizations facilitating commercial activity, by electronic means, by providing enabling services, technical or otherwise. Section 9 of CASL could also apply to those who receive direct or indirect financial benefit from a violation of sections 6 to 8 of CASL.
The evidence gathered during the investigation shows that Revesz and Griebel aided in the contravention of section 8 of the Act through the development, marketing and sale of the Orcus RAT, as well as through the counseling and advice provided to users.
Publicly available information on HackForums posts authored by Revesz and Griebel, under their aliases Armada and Sorzus, revealed that they both have, to varying degrees, promoted the malicious features of the Orcus RAT. This included a post where Revesz boasted about the ability for the Orcus RAT to recover victim’s passwords.
Evidence gathered during the course of this investigation demonstrates that John Paul Revesz and Vincent Leo Griebel, directly or indirectly, engaged in activities contrary to section 9 of the Act. Revesz also contravened section 9 through the development, marketing and sale of a DDNS service for use in connection with a significant number of RATs, including Imminent Monitor, Luminosity Link and Adwind RAT.
As part of its investigation, Commission staff obtained a list of Orcus RAT purchasers based in Canada and abroad. A number of investigations are currently ongoing to assess whether these RAT users installed the Orcus RAT on computer systems without consent, contrary to section 8 of CASL. Should this prove to be the case, appropriate enforcement actions will be taken to promote compliance with CASL, including the issuance of administrative monetary penalties of up to $1 million.
A person who is served with an NOV has the opportunity to make representations to the Commission with respect to the amount of the penalty or the alleged violations pursuant to sections 24 and 25 of the Act, and may further bring an appeal in the Federal Court of Appeal from a decision rendered by the Commission pursuant to section 27 of the Act.
As a result and at this time, the above-mentioned information constitute allegations made by persons designated by the Commission pursuant to section 14 of the Act.
A person who is served with an NOV also has the opportunity to enter into an undertaking in connection to these acts and omissions pursuant to subsection 21(4) of the Act, under the conditions provided by subsection 21(2) of the Act.
Commission staff will make the best efforts to provide additional information on this investigation as soon as practicable.
Update 17 February 2020: Pursuant to section 24(1) of CASL, the deadline to make representations with respect to either the amount of the penalty or the acts or omissions constituting the alleged violations was February 3, 2020. Given that no representations were made, pursuant to section 24(2) of CASL, John Paul Revesz is deemed to have committed the violations and must pay the administrative monetary penalty as set out in the notice.
- Date modified: