News

Mac Malware Implies HackingTeam Has Returned

HackingTeam has been quiet recently, following the hack against them last July that revealed embarrassing amounts of their private data, emails, and code. Now researchers have discovered a piece of newly developed malware affecting the Mac OSX operating system that has led to a belief that the group has returned.

A sample of the malware was uploaded to Google’s VirusTotal scanning service on the 4th of February which at the time wasn’t detected by any major anti-virus products (now according to Ars Technica, it is detected by 10 out of 56 AV services.) SentinelOne researcher Pedro Vilaça demonstrated on Monday some functions of the malware which was shown to last be updated around October or November with an embedded encryption key dated October 16th. The malware works by installing a copy of HackingTeam’s Remote Code Systems compromise platform, with these two pieces of evidence implying that the malware is built upon old and unexceptional code from the team, instead of the entirely new code that the group promised they would return with following their compromise.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have shown us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another examination of the sample by Patrick Wardle, a Mac security expert at Synack, found that while the malware appears to be built upon the old HackingTeam code it has several tricks up its sleeve for evading detection. This includes using Apple’s native encryption scheme to protect its binary file, which is the first of its kind seen by Wardle.

Exactly how the malware gets installed is yet to be discovered, with top possibilities are users being deceived into installing it thinking it is benign software, or that it is bundled with another piece of malware that executes its installer. While this malware isn’t enough proof alone to show that HackingTeam is active again, Vilaça found through the Shodan search engine and a scan of the IP address in VirusTotal’s sample show that the control server has been active as recently as January, which means this malware, regardless of its origin, should be treated as more than a hoax.

Alexander Neil

Disqus Comments Loading...

Recent Posts

Electronic Arts Titles Played for Over 11 Billion Hours in 2024

Electronic Arts (EA) announced today that its games were played for over 11 billion hours…

2 days ago

Just 15% of Steam Gaming Time in 2024 Was Spent on New Releases

Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…

2 days ago

STALKER 2 Gets Massive 110GB Patch With 1800+ Fixes

GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…

2 days ago

Intel Unveils Core 200H Processors Based on the Previous Raptor Lake Refresh

Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…

3 days ago

Ubisoft Reportedly Developing a New Quadruple A Game

Ubisoft is not having the best of times, but despite recent flops, the company still…

3 days ago

STALKER 2: Heart of Chornobyl Update 1.1 Fixes 1,800 Issues and Revamps A-Life 2.0

If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…

3 days ago