An examination of a new OS X malware sample suggests the Italian exploit seller may be up to its old tricks.
A recently discovered Apple Mac OS X malware sample has raised speculation that exploit seller Hacking Team is returning to the market after a disastrous cyberattack which spilled the firm's corporate innards into the public domain last year.
In July 2015, Italian firm Hacking Team, a provider of surveillance tools, malware and spyware to government, law enforcement and intelligence agencies worldwide, experienced a catastrophic data breach after a cyberattacker compromised their servers and managed to steal 400GB of corporate data. The company's exploits and tools were, before then, a closely-guarded secret -- and the sudden release of all Hacking Team's deepest secrets was met with glee by security researchers worldwide who immediately began developing patches to close these zero-day vulnerabilities.
The company vowed that the attack would not put them out of business permanently, and a new strain of OS X malware may show the malware seller's attempts to develop new surveillance tools and spyware for sale.
Earlier this month, a new OS X-based Trojan sample dubbed "Morcut" was uploaded to Google-owned VirusTotal. At the time the sample was submitted, the rate of detection by antivirus firms was practically zero, according to SentinelOne security researcher Pedro Vilaca. (At the time of writing, 15 out of 55 antivirus firms now detect the malware).
The malware is connected to Hacking Team's Remote Code System (RCS), a platform used for surveillance purposes by the company's clients. In an analysis of the Trojan, Vilaca says the sample contains a number of clues potentially linking it to Hacking Team -- or, at least, the use of code by others dropped due to the company's data breach.
These indicators include unusual malware segments and structures, a VM memory-based anti-bugging trick used by Hacking Team, and a dropper linked to the company's RCS platform.
"The dropper is using more or less the same techniques as older HackingTeam RCS samples and its code is more or less the same," Vilaca says. "The new things we can observe is the binary using Apple's binary protection feature and a small anti-debugging trick. Until now, nothing spectacular. Either this is an old sample or Hacking Team are still using the same code base as before the hack."
The security researcher says the installer was last updated in October or November, and an embedded encryption key dated 16 October -- three months after Hacking Teams' data breach -- and IP clues indicate this is a fresh sample, and that the malware seller is likely still active post-hack.
Despite Hacking Team's promises to completely alter their source code, however, Vilaca believes they are relying on code compiled from the leaked version with just a few upgrades, including a checker for new OS X versions. "HackingTeam is still alive and kicking but they are still the same crap morons as the email leaks have shown us," the researcher says. "If you are new to OS X malware reverse engineering it's a nice sample to practice with."
