Malware Researchers Track Down Malicious Software Mastermind

The man behind Orcus RAT, a malicious remote access tool reportedly designed to compromise and control computers, was exposed by a group of malware hunters.

According to Krebs on Security, security professional Daniel Gallagher and members of MalwareHunterTeam and MalwareTech engaged with the suspected hacker on Twitter.

Though the person, nicknamed “Ciriis Mcgraw” AKA “Armada” on social networks, claimed that the RAT was created to be used by network administrators, the researchers disputed the explanation.

“Gallagher and others took issue with that claim, pointing out that they were increasingly encountering computers that had been infected with Orcus unbeknownst to the legitimate owners of those machines,” the blog explained.

At the same time, the malware researchers were dealing with continued requests for technical support from customers who purchased Orcus.

An update to Orcus that was released on July 7 allows users to customize the RAT to avoid digital forensics tools.

Through a YouTube video that Ciriis Mcgraw posted back in 2013, Gallagher was able to figure out the identity of a security guard from Toronto, Canada, named John Revesz.

Revesz’s cached website and personal resume noted that his most recent job was working as an IT systems administrator for TD Bank. Krebs on Security confirmed that Revesz’s LinkedIn account showed he also worked as a security guard for a private security firm.

“Profit was never the intentional goal, however, with the years of professional IT networking experience I have myself, knew that proper correct development and structure to the environment is no free venture either,” Revesz told Krebs on Security when answering questions about the software. “Utilizing my 15+ years of IT experience, I have helped manage Orcus through its development.”

Revesz continued:

“As for your legalities question, Orcus Remote Administrator in no ways violates Canadian laws for software development or sale. We neither endorse, allow or authorize any form of misuse of our software. Our EULA (end user license agreement) and TOS (terms of service) is very clear in this matter. Further, we openly and candidly work with those prudent to malware removal to remove Orcus from unwanted use and lock out offending users which may misuse our software, just as any other company would.”

But there are plugins that still allow Orcus users to turn off the webcam light on a computer with the software and another that can knock sites and individual users offline.

“I constantly try to question my assumptions and make sure I’m playing devil’s advocate and not jumping the gun,” Gallagher (the researcher who originally brought Revesz’s activities to Krebs’ attention) explained. “But I think he’s well aware that what he’s doing is hurting people; it’s just now he knows he’s under the microscope and trying to do and say enough to cover himself if it ever comes down to him being questioned by law enforcement.”