Lock down your PCs - Hacking Team is back!

Mac OS malware bearing the hallmarks of Hacking Team found in the wild

New evidence from malware found in the wild indicates that Hacking Team, the notorious Italian computer security company that sold computing cracking and surveillance tools to governments worldwide, is back up-and-running.

The claim was made by a security researcher, Pedro Vilaça, who has analysed almost all of the malware that Hacking Team has developed to compromise targets' computers.

Vilaça claims that Mac OS X malware found in the wild and uploaded to VirusTotal at the beginning of February bares all the hallmarks of Hacking Team. At the time, the malware wasn't detectable by any of the major anti-virus scanners, and even at the beginning of the week could only be detected by 10 out of 56 anti-virus software packages and services for the Apple Mac.

A technical analysis of the malware was published earlier this week by SentinelOne security researcher Pedro Vilaça under the headline, "The Italian morons are back! What are they up to this time?"

Key elements of the malware indicate that Hacking Team was back in business within three months of the big July 2015 bust in which all the company's emails, and much of its technology and techniques, were publicly leaked by either a hacker or ex-employee, who has never been publicly identified.

"Looking at the dropper code and comparing with older samples, we can't spot many differences," notes Vilaça in his detailed analysis of the malware.

He continues: "The structure is more or less the same and the tricks still the same, so you can refer to my slides and older blog posts if you are interested in those details. The only difference is that this time the dropper only packs a single persistence binary and a configuration file. Older samples packed more stuff."

The malware can be accurately dated as the code shows that it was last updated in October/November and the embedded encryption key is dated 16 October. The Shodan search engine, which collects data on open network ports, indicates that the malware's host was first seen on 15 October 2015, with the last information gathered on 4 February, according to John Matherly, the programmer behind Shodan.

In an update, Vilaça adds: "I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the [July 2015] leaked source code. Either someone is maintaining and updating Hacking Team code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by Hacking Team themselves. Re-usage and repurposing of malware source code happens (Zeus, for example) but my gut feeling and indicators seem to not point in that direction."

Vilaça strongly believes Hacking Team is behind this new Mac OS malware because of the way it is coded - "When you have reversed all their samples let's say you start to know them quite well" - as well as comments from ex-employees who say the malware is congruent with Hacking Team's "normal practices".

He concludes: "Hacking Team is still alive and kicking but they are still the same crap morons."