HackingTeam has been quiet recently, following the hack against them last July that revealed embarrassing amounts of their private data, emails, and code. Now researchers have discovered a piece of newly developed malware affecting the Mac OSX operating system that has led to a belief that the group has returned.
A sample of the malware was uploaded to Google’s VirusTotal scanning service on the 4th of February which at the time wasn’t detected by any major anti-virus products (now according to Ars Technica, it is detected by 10 out of 56 AV services.) SentinelOne researcher Pedro Vilaça demonstrated on Monday some functions of the malware which was shown to last be updated around October or November with an embedded encryption key dated October 16th. The malware works by installing a copy of HackingTeam’s Remote Code Systems compromise platform, with these two pieces of evidence implying that the malware is built upon old and unexceptional code from the team, instead of the entirely new code that the group promised they would return with following their compromise.
“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have shown us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”
Another examination of the sample by Patrick Wardle, a Mac security expert at Synack, found that while the malware appears to be built upon the old HackingTeam code it has several tricks up its sleeve for evading detection. This includes using Apple’s native encryption scheme to protect its binary file, which is the first of its kind seen by Wardle.
Exactly how the malware gets installed is yet to be discovered, with top possibilities are users being deceived into installing it thinking it is benign software, or that it is bundled with another piece of malware that executes its installer. While this malware isn’t enough proof alone to show that HackingTeam is active again, Vilaça found through the Shodan search engine and a scan of the IP address in VirusTotal’s sample show that the control server has been active as recently as January, which means this malware, regardless of its origin, should be treated as more than a hoax.