SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Mar 2016

Largely undetected Mac malware suggests disgraced HackingTeam has returned

An examination of a new OS X malware sample suggests the Italian exploit seller may be up to its old tricks.

A recently discovered Apple Mac OS X malware sample has raised speculation that exploit seller Hacking Team is returning to the market after a disastrous cyberattack which spilled the firm's corporate innards into the public domain last year.

In July 2015, Italian firm Hacking Team, a provider of surveillance tools, malware and spyware to government, law enforcement and intelligence agencies worldwide, experienced a catastrophic data breach after a cyberattacker compromised their servers and managed to steal 400GB of corporate data. The company's exploits and tools were, before then, a closely-guarded secret -- and the sudden release of all Hacking Team's deepest secrets was met with glee by security researchers worldwide who immediately began developing patches to close these zero-day vulnerabilities.

The company vowed that the attack would not put them out of business permanently, and a new strain of OS X malware may show the malware seller's attempts to develop new surveillance tools and spyware for sale.

Earlier this month, a new OS X-based Trojan sample dubbed "Morcut" was uploaded to Google-owned VirusTotal. At the time the sample was submitted, the rate of detection by antivirus firms was practically zero, according to SentinelOne security researcher Pedro Vilaca. (At the time of writing, 15 out of 55 antivirus firms now detect the malware).

The malware is connected to Hacking Team's Remote Code System (RCS), a platform used for surveillance purposes by the company's clients. In an analysis of the Trojan, Vilaca says the sample contains a number of clues potentially linking it to Hacking Team -- or, at least, the use of code by others dropped due to the company's data breach.

These indicators include unusual malware segments and structures, a VM memory-based anti-bugging trick used by Hacking Team, and a dropper linked to the company's RCS platform.

"The dropper is using more or less the same techniques as older HackingTeam RCS samples and its code is more or less the same," Vilaca says. "The new things we can observe is the binary using Apple's binary protection feature and a small anti-debugging trick. Until now, nothing spectacular. Either this is an old sample or Hacking Team are still using the same code base as before the hack."

The security researcher says the installer was last updated in October or November, and an embedded encryption key dated 16 October -- three months after Hacking Teams' data breach -- and IP clues indicate this is a fresh sample, and that the malware seller is likely still active post-hack.

Despite Hacking Team's promises to completely alter their source code, however, Vilaca believes they are relying on code compiled from the leaked version with just a few upgrades, including a checker for new OS X versions. "HackingTeam is still alive and kicking but they are still the same crap morons as the email leaks have shown us," the researcher says. "If you are new to OS X malware reverse engineering it's a nice sample to practice with."

Tags:
information leaks OS X
Source:
ZDNet
2243
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015