News

Mac Malware Implies HackingTeam Has Returned

HackingTeam has been quiet recently, following the hack against them last July that revealed embarrassing amounts of their private data, emails, and code. Now researchers have discovered a piece of newly developed malware affecting the Mac OSX operating system that has led to a belief that the group has returned.

A sample of the malware was uploaded to Google’s VirusTotal scanning service on the 4th of February which at the time wasn’t detected by any major anti-virus products (now according to Ars Technica, it is detected by 10 out of 56 AV services.) SentinelOne researcher Pedro Vilaça demonstrated on Monday some functions of the malware which was shown to last be updated around October or November with an embedded encryption key dated October 16th. The malware works by installing a copy of HackingTeam’s Remote Code Systems compromise platform, with these two pieces of evidence implying that the malware is built upon old and unexceptional code from the team, instead of the entirely new code that the group promised they would return with following their compromise.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have shown us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another examination of the sample by Patrick Wardle, a Mac security expert at Synack, found that while the malware appears to be built upon the old HackingTeam code it has several tricks up its sleeve for evading detection. This includes using Apple’s native encryption scheme to protect its binary file, which is the first of its kind seen by Wardle.

Exactly how the malware gets installed is yet to be discovered, with top possibilities are users being deceived into installing it thinking it is benign software, or that it is bundled with another piece of malware that executes its installer. While this malware isn’t enough proof alone to show that HackingTeam is active again, Vilaça found through the Shodan search engine and a scan of the IP address in VirusTotal’s sample show that the control server has been active as recently as January, which means this malware, regardless of its origin, should be treated as more than a hoax.

Alexander Neil

Disqus Comments Loading...

Recent Posts

Trust Gaming GXT 609 Zoxa 2.0 PC Speakers

SOUNDS GREAT – Full stereo sound (12W peak power) gives your setup a booming audio…

3 hours ago

PowerA Wired Controller for Nintendo Switch

Special Edition Yoshi design Ergonomic controller shape with Nintendo Switch button layout Detachable 10ft (3m)…

3 hours ago

Logitech G Saitek PRO Flight Rudder Pedals

Fluid Motion: These flight rudder pedals are smooth and accurate that enable precise control over…

3 hours ago

Logitech G Saitek Farm Sim Controller

Heavy Equipment Bundle: Includes a steering wheel for heavy machinery, gas and brake pedals, and…

3 hours ago

Razer Ornata V3 X – Low Profile Gaming Keyboard

Low-profile Keys for an ergonomic gaming experience. With slimmer keycaps and shorter switches, enjoy natural…

3 hours ago

Glorious Gaming Model O Wired Gaming Mouse

Size & style: Ambidextrous lightweight mouse for gaming. Built for speed, control and comfort, with…

3 hours ago