More of Hacking Team’s capabilities and questionable actions revealed
The Hacking Team data leak has shown us with whom the company does business with, and their employees’ and management’s unguarded opinions about various individuals, companies, and institutions around the world.
But it has also given us a better idea about the company’s capabilities: from buying zero-day vulnerabilities, creating and using exploits, to the capabilities of their products.
Concrete information about commercial spyware toolkits developed by companies like Hacking Team and Gamma Group International is occasionally shared by researchers that have managed to get their hands on some samples and reverse-engineered them, and unconfirmed information is sometimes discovered in leaked company documents.
This time, it’s the leaked source code that shows us more than the company would have liked.
Bromium Labs’ Nick Cano has a great write-up about the capabilities of Remote Control System, the Hacking Team’s Remote Access Trojan (RAT): which platforms it can target (practically all of the most popular ones, including mobile ones); which data and information it can steal, record and log; how it can determine where the infected machine is; how it can spread; and how it can protect itself.
Malwarebytes’ Adam McNeil has also shared some details he discovered both from the source code, the emails and the documentation leaked.
Lookout researcher David Richardson said that they have found that – contrary to popular opinion – the Hacking Team spyware can also infect non-jailbroken iOS devices.
To make the OS accept the spyware without question, they signed the app with a compromised Apple enterprise certificate, which Apple has revoked a couple of days ago. He shared details about the malicious app, how to find it and remove it from a compromised device.
Finally, Brian Krebs has reported on how Hacking Team managed to restore access to some of the computers the Special Operations Group of the Italian National Military Police had installed Hacking Team’s RAT on.
The RAT was set to contact C&C servers on a number of IP addresses that were controlled by Santrex, a Web hosting provider favored by spammers. After Santrex unexpectedly shut down and abandoned the IP addresses in question, Hacking Team performed an IP address hijacking attack by taking advantage of the insecure Border Gateway Protocol (BGP) core Internet routing mechanism.
“The Hacking Team e-mails show the impunity employees felt as they worked to hijack the block of inactive IP addresses, some of which hosted virtual private servers (VPSes) used as part of a command and control system for the computers infected with the RCS malware,” Dan Goodin pointed out.
“By having [Italian Web host] Aruba fraudulently announce the addresses, Hacking Team and its Italian customer could impersonate the Santrex hosting provider and reestablish communications with the infected machines.”