Thought leadership. threat analysis, news and alerts.
Canada’s Anti-Spam Legislation (CASL) Goes After Malware Distributors
Canada’s Anti-Spam Legislation (CASL), the federal law which took effect in 2014, proves to be more than an anti-spam legislation with the recent application of the law of going after malicious actors spreading malicious software (malware).
The Canadian Radio-television and Telecommunications Commission (CRTC), in tandem with the Royal Canadian Mounted Police (RCMP), on March 27, 2019 executed a warrant at the home of a Toronto software developer behind the remote access trojan (RAT) called “Orcus”. Remote access trojan, in general, is a type of malware that facilitates covert and unauthorized remote access, enabling a malicious actor to access someone else's computer, no matter where this computer is geographically located, and make changes to this computer without the owner’s consent.
What Is Canada’s Anti-Spam Legislation (CASL)?
Canada’s Anti-Spam Legislation (CASL), which amended the Canadian Radio-television and Telecommunications Commission Act, covers more than just spam emails. Pertinent provisions of the law include:
Section 6: It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Section 7: It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or the person to whom the message is sent; or the alteration is made in accordance with a court order.
Section 8: A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system; or the person is acting in accordance with a court order.
Section 9: It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
The maximum penalty for violating CASL is $1,000,000 in the case of an individual, and $10,000,000 in case the violator is an organization.
What Is Orcus RAT?
While authorities refused to name the subject of the March 27, 2019 CRTC warrant, the person who calls himself “Armada” said in a statement that his organization called “Orcus Technologies” was the subject of the said warrant. Since early 2016, Orcus Technologies has marketed Orcus RAT as a legitimate remote administration tool – a software that gives a person full access to a computer as if the person had physical access to the device.
Armada said authorities seized numerous backup hard drives which contained a large portion of Orcus Technologies business, including user information inclusive of user names, real names and financial transactions. As a result of the seizure, Armada said Orcus RAT is no longer a “safe or secure solution to Remote Administrative needs”.
One stand out feature of the Orcus RAT is its capability to load custom plugins built by users, as well as plugins that are available from the Orcus repository. While Orcus Technologies claims that Orcus RAT is a legitimate remote administration tool, it listed on its website capabilities that are beyond the scope of a legitimate remote administration tool such as disabling the light indicator on webcams in order not to alert the target that it’s enabled; restarting the server component or triggering a Blue Screen of Death (BSOD) if someone tries to kill its process and a plugin that can be used to perform distributed denial-of-service (DDoS) attack.
Orcus RAT also features capabilities such as password retrieval and key logging that are normally not seen in legitimate remote administration tools but only seen in remote access trojans, which facilitate covert and unauthorized remote access.
One such remote access trojan, which facilitates the installation of the Orcus RAT, was unleashed in December 2017 via a phishing campaign – a type of cyber-attack that uses spam emails as a weapon. The said spam emails arrived at the email inboxes of targeted bitcoin investors offering Gunbot, a trading automation software for cryptocurrencies. These spam emails contained an attachment. Analysis by researchers at Fortinetshowed that when this attachment is clicked by the recipient, it downloads from a specific URL a file that contains the malware and embedded in this malware is the Orcus RAT.
The Orcus RAT malware in this case, Fortinet researchers said, resulted in the loss of cryptocurrency investments and more. “In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool,” the researchers said. “Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”
CRTC Director Neil Barratt told KrebsOnSecuritythat CASL gives authorities a leeway to get malicious actors off the networks in Canada and elsewhere as the burden of proof required in CASL is lower than a criminal conviction.
“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”
Steve E. Driz, I.S.P., ITCP