The controversial Italian intrusion and surveillance IT firm Hacking Team appears to be active again, according to security researchers who have identified a new kind of Mac malware. First submitted to the security analysis site VirusTotal on February 2, samples of the OS X malware reveal a number of hallmarks of Hacking Team code, said experts who have reviewed the code.
Founded by Italian programmers Alberto Ornaghi and Marco Valleri in 2003, Hacking Team has been widely criticized by privacy and civil rights advocates for selling its hacking and surveillance tools to governments with records of human rights abuses. The company was itself hacked in July, resulting in the release of 400 GB of e-mail conversations, internal files and source codes.
In a post yesterday on his Mac OS X security blog, SentinelOne senior researcher Pedro Vilaça said he analyzed a new sample of OS X malware code that uses “more or less the same techniques as older Hacking Team RCS [remote control systems] samples.” He added that reverse engineering the sample shows that the code dates to October or November of last year, indicating new activity by Hacking Team after its massive data breach last summer.
Malware First Went Undetected
Analysis of the sample code shows it is “a very fresh sample compared with what we got in the past, it is a sample created post July 2015 hack, and it’s using the same code base as before,” Vilaça said. “HackingTeam is still alive and kicking.”
When the sample code was first uploaded to VirusTotal, the detection rate for the malware was zero, meaning none of the 55 leading anti-virus protection services could detect and identify it. As of today, however, 19 of those services can now detect the suspicious code. The new malware uses a “dropper” to install a virus into the target computer.
“This code checks for newer OS X versions and does not exist in the leaked source code,” Vilaça said. “Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus, for example) but my gut feeling and indicators seem to not point in that direction.”
Hacking Team Slams ‘Fear-Mongering’
Hacking Team’s Web site also indicates the company is pursuing new business despite the setback of last year’s hack and data breach. The firm’s “Meet Us” page notes that company representatives expect to attend several security conferences this year in the U.K., Dubai and the Czech Republic.
In addition, last week Hacking Team’s chief marketing and communications officer Eric Rabe posted a commentary on the company’s Web site weighing in on the current court battle between the U.S. Federal Bureau of Investigation and Apple over an encrypted iPhone. He accused Apple and its defenders of engaging in “fear-mongering” over law enforcement efforts to break encryption, and argued that his company’s software permits the lawful surveillance of devices used by criminals, terrorists or other suspects.
“The company was founded on the premise that security provided by law enforcement is an essential right, just as privacy is,” Rabe said. “Hacking Team has paid dearly for taking that position. Well-publicized attacks against the company have been aimed apparently at destroying it.”
