Hacking Team has returned, warns malware researcher

Remember that the “Hacking Team” itself was hacked, with gigs of their shit dropped
on the internet…

Hacking Team has returned, warns malware researcher

” New Mac OS malware found in the wild indicates that Hacking Team, the Italian company that sold PC cracking and surveillance tools to governments worldwide, is back in business.

The claim was made by security researcher Pedro Vilaça who has analysed almost all of the malware that Hacking Team has developed to compromise computers since the company was itself hacked in July last year.

Vilaça claims that Mac OS X malware found in the wild and uploaded to VirusTotal at the beginning of February bears all the hallmarks of Hacking Team.

The malware wasn’t detectable by any of the major antivirus scanners at the time, and even at the beginning of the week could be detected only by 10 out of 56 antivirus software packages and services for the Apple Mac.

A technical analysis of the malware was published earlier this week by SentinelOne security researcher Pedro Vilaça under the headline: The Italian morons are back! What are they up to this time?

Key elements of the malware indicate that Hacking Team was back in business within three months of the July 2015 bust in which all the company’s emails, and much of its technology and techniques, were publicly leaked by a hacker or ex-employee who has never been publicly identified.

Looking at the dropper code and comparing with older samples, we can’t spot many differences,” noted Vilaça in his detailed analysis of the malware.

“The structure is more or less the same and the tricks still the same, so you can refer to my slides and older blog posts if you are interested in those details. The only difference is that this time the dropper only packs a single persistence binary and a configuration file. Older samples packed more stuff.”

The malware can be accurately dated as the code shows that it was last updated in October/November and the embedded encryption key is dated 16 October.

The Shodan search engine, which collects data on open network ports, indicates that the malware’s host was first seen on 15 October 2015, with the last information gathered on 4 February, according to John Matherly, the programmer behind Shodan.

Vilaça added in an update: “I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the [July 2015] leaked source code.

“Either someone is maintaining and updating Hacking Team code (why the hell would someone do that?) or this is indeed a legit sample compiled by Hacking Team themselves. Reuse and repurposing of malware source code happens (Zeus, for example) but my gut feeling and indicators seem to not point in that direction.”

Vilaça strongly believes that Hacking Team is behind this new Mac OS malware because of the way it is coded. “When you have reversed all their samples let’s say you start to know them quite well,” he said.

His belief is also based on comments from former Hacking Team employees who said that the malware is consistent with the firm’s “normal practices”.

He concluded: “Hacking Team is still alive and kicking but they are still the same crap morons.””

Advertisements