Toronto developer of Orcus RAT software raided by police

Canadian police last week raided the residence of Toronto software developer, John Rezvesz, the mastermind behind the ‘Orcus RAT’, a software product that’s been marketed on underground forums and used in malware attacks since 2015.

Rezvesz maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as Remote Access Trojans.

As first reported by KrebsOnSecurity back in July 2016, Orcus is the brainchild of John Rezvesz, a Toronto resident who until recently maintained and sold the RAT under the company name Orcus Technologies.

In a press release, Rezvesz said his company was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC).

Rezvesz wrote: “In this process authorities seized numerous backup hard drives [containing] a large portion of Orcus Technologies business, and practices/”

“Data inclusive on these drives include but are not limited to: User information inclusive of user names, real names, financial transactions, and further. The arrests and searches expand to an international investigation at this point, including countries as America, Germany, Australia, Canada and potentially more”. reported that the RCMP said the raid was part of an international coordinated effort with the Federal Bureau of Investigation and the Australian Federal Police, as part of “a series of ongoing, parallel investigations into Remote Access Trojan (RAT) technology. This type of malicious software (malware) enables remote access to Canadian computers, without their users’ consent and can lead to the subsequent installation of other malware and theft of personal information”.

Ilia Kolochenko CEO of web security company High-Tech Bridge commented on the case: “It is pretty difficult to draw a straight line and delineate legitimate RA software from malware. They frequently share many identical functionalities, with similar implementation, often for perfectly legitimate purposes. Unless the RAT in question cannot be used [by its design] for anything but malicious activities, it will be quite complicated to charge its author with a crime.

“A walkthrough with customers may shed some light on past cybercrimes committed by unscrupulous buyers who purposefully acquired the tool to break the law. A thorough investigation is required to determine both factual issues and intents prior to making any conclusions, however.”