Understanding Orcus Rat, and Why the Owner may be facing jailtime.

by Habib | Apr 5, 2019 | Featured, Habib Featured, Habib O

Understanding Orcus Rat, and Why the Owner may be facing jailtime.

In modern day society there are a lot of threats that come about the internet. The biggest risk to the average user is a smart developer, now there are two types of developers legal and illegal with many big differences. The bigest issue with malware in the modern day world is when they start branding illegal software as legal software.

We have seen many instances of when this has happened with other RAT (Remote access Trojans) that have been around for the last few years, taking a look at Luminosity, Nanocore, CyberGhost. It is very hard to see the fine line between legal and illegal software of this sort however that fine line can have a lot of consequences if crossed.

For those of you who don’t know what a RAT is, here is a simple definition taken from techtarget

“A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program — such as a game — or sent as an email attachment. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet.”

ttps://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan

Here we have a very interesting example Orcus rat, Armada (John Revesz) being the author working alongside a developer who goes by the alias “Nick(Name)”. Both these users can be found on the popular hacking forum known as HackForums.net.

Armada has always stated that this RAT is for legal purposes only however it’s hard to believe seeing some of the features within the RAT. A legal administrative tool has a lot of these features but not things such as USB spreaders, Virustotal Checker, Adsense Injectors, Keyloggers, Screen spinning and much more. It’s hard to understand why a legal tool would not want their program to be on VirusTotal. Incase you aren’t aware virustotal is a file scanning site that checks for malware, the reasons a lot of malware developers do not want it on that scanner is because they will redistribute the executable to antivirus companies to analyse further.

This leads into the whole concept of a RAT being FUD (Fully undetectable, meaning no antivirus will detect it on execution or scan giving the illusion of clean software). Armada claims to have always wanted the RAT to be similar to teamviewer, but unlike teamviewer he had included features such as webcam spying and disabling the webcams lights.Orcus rat has been developed along with a plugin system, now this system seems to be the downfall of the tool. Orcus had an official github with numerous plugins available which you can find here.

https://github.com/OrcusTechnologies

On the github we can see a few interesting plugins, BSODProtection. This plugin has the intention of fully crashing the users computer if they try and kill the RAT process, we also see a Stress Testing plugin, for those of you who dont know what this plugin is used for, it is designed to utilize a popular attack known as DDOS, where you will flood a server with traffic from all the computers on your network to slow down the target and even stop people accessing this, we have seen a lot of DDOS based attacks from botnets such as mirai.

Things get a lot worse for Armada upon the release of his “Secure DNS Service” which he bundled alongside his software. The purpose of a secure DNS is so that the software executable does not directly connect to your IP address, hiding the user behind the software. Meaning if i ran a Stub from Orcus and debug it i would not see the person that infected me only the middleman server.

Armada claims this DNS to be bulletproof, within the hacking community the term bulletproof means that it is safe from law enforcement and cant be tracked, however for it to truly be bulletproof it needs to be safe on the server side but the server admin in this case being Armada needs to have their digital security at the highest level or anyone using his service could be at major risk.

His DNS service was on sale for $30-$150 a year, openly advertising that he will not report anything to law enforcement.

On the 31st of March 2019, after Armada disappearing for awhile he released a “Official Press Release” on pastebin which you can read here https://pastebin.com/raw/JgZpxwpf

Orcus Technolgies Official Press release March 31 2019 To all it may concern. – As of March 27th 2019 Orcus Technologies was subject to a international search warrant executed by RCMP and CRTC authorities in Canada. In this process authorities seized numerous backup hard drives contains a large portion of Orcus Technologies business, and practices. Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Austrailia, Canada and potentially more. Authorities have NOT obtained the user/license database, nor did they obtain my core laptop or tablet, items explicitly named in the search warrants. All pertinant data has been resolved to my lawyers at this point and we will be going forward legally. I am here by advising any and ALL Orcus users, legal owner or using a cracked copy. Regardless, Orcus is no longer to be considered safe or secure solution to Remote Administrative needs. Please move away from this software without delay. It has been a pleasure getting to know everyone in my time online, and I hope you all can take my words as a life lesson. – Stay safe, don’t do stupid shit. Regards – Armada

From this we can fully understand that Armada may be facing jail time for his “Legal Rat”.

Armada has always been an interesting character from owning suits of armor to openly admitting his violence, however he had always seemed like one of the good guys within the hacking community. It’s sad to see someone’s skills used for bad however it is what is is, and has to be accepted some will go out of their way to profit of others misfortune.

Here are some more interesting sources i suggest you read on this topic.

https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html

Habib O

Self proclaimed tech enthusiast looking to expand my personal portfolio. Click my profile to find out more. PS. If you give me something i will break it.

View Profile