A newly analyzed OS X malware sample shows that Hacking Team is likely still using old code for its newest spying tools. An alternative (but less likely) theory is that someone has been modifying the tools’ source code, which was leaked in the wake of the catastrophic hack the infamous intrusion and surveillance software seller suffered last year.
The sample has been analyzed by SentinelOne’s Pedro Vilaça and Patrick Wardle, Synack’s director of R&D, two OS X security specialists.
The sample comes in the form of an encrypted binary, and was submitted to VirusTotal some three weeks ago (at the time it had a 0% detection rate).
In a very interesting blog post Wardle described his analysis process step-by-step, and noted that the binary – an implant installer (dropper) – has been encrypted with Apple’s native OS X encryption scheme, packed with HackingTeam’s custom packer (keypress, whose source code was also leaked), and drops a persistent implant. It is HackingTeam’s RCS implant, but with few modifications.
Many of the tricks that the malware uses can be found in older RCS samples, but there is at least one new anti-debugging trick, Vilaça has noted in his analysis. The use of Apple encryption is new, and there is also some unique code in this sample that checks for newer OS X versions.
He pinpointed the configuration dates for the implant sample to October 2015, meaning that it’s from a few months after the Hacking Team breach. According to historical data from Shodan, the sample’s C&C server IP was up since October 15, 2015 and went down on or about February 4th, 2016.
After the breach, Hacking Team tried to minimize its impact by saying that they have already been working on a new version of the implant and that this source code hasn’t been compromised by the attackers.
“Are they using both old and the new promised source code or were they just lying about it and resumed operations with old code since they are probably on a shortage of engineering ‘talent’?” Vilaça ponders. Or has a third party repurposed the leaked source code?
For now, the question remains unanswered.