The Hacking team, which is a supplier of surveillance tools and malware to the governments and intelligence agencies globally is speculated to have returned to the global arena. The speculations have become rife after the discovery of an Apple Mac OS X malware sample.
For those who don’t remember, the Italian firm in July 2015 had suffered a disastrous cyber-attack, where the attacker had managed to steal 400 GB of corporate data from the firm. The company, till then, performed most of its deeds surreptitiously and the release of its secrets by hackers was appreciated by security researchers worldwide.
The firm had vowed that such an attack would not dampen their spirits completely and that a new OS X malware might portray the malware seller’s attempts to develop new spyware for sale.
Recently, a new OS X-based Trojan sample called “Morcut” was uploaded on Google-owned VirusTotal, the attributes of which point to the Italian firm, Hacking Team. According to SentinelOne researcher Pedro Vilaca, the rate of detection for the Trojan sample by antivirus firms was almost nil at the time of its release.
After analysing the sample, Vilaca has found several clues that connect the sample to Hacker Team, which include unusual malware segments, a VM memory based anti-bugging track and a dropper – proving the fact that they may have stayed true to their words. The malware is also said to be associated with the RCS or Remote Code System of the company, as suggested by the dropper.
“The dropper is using more or less the same techniques as older HackingTeam RCS samples and its code is more or less the same. The new things we can observe is the binary using Apple’s binary protection feature and a small anti-debugging trick. Until now, nothing spectacular. Either this is an old sample or Hacking Team are still using the same code base as before the hack” – Vilaca said.
The security analyst has also said that the installer, which was last updated in sometime during October or November, along with an encryption key and IP clues, further strengthen the speculation regarding the Italian firm.
Vilaca also believes that the team, contrary to its promise of completely changing their source code, is rather relying on code obtained from the leaked versions, with a few changes made here and there.
Calling them the “same crap morons”, Vilaca said that they are still alive in the global domain.