Researchers have tracked down a new sample of Mac malware attributed to Hacking Team.
Last summer, a vigilante hacker broke into the systems of the infamous surveillance company Hacking Team, exposing a treasure trove of the company's secrets, including the source code of the spyware Hacking Team sold to dozens of countries around the world. The breach sent the company into "full on emergency mode," forcing it to ask its customers to shut off their systems.
More than six months later, we have the first real evidence that the company is still alive and well—and is making new spyware. For security researchers, however, Hacking Team's tools are still as unimpressive as they used to be.
Security researchers have identified a sample of malware uploaded on the internet that appears to have been created by Hacking Team. This is likely a new version of Hacking Team's old Mac malware, according to security researchers. The sample, according to them, is mostly made of the same code as the old Hacking Team malware for Mac OS X, but has new components that help it stay undetected.
"They are still doing business with all the leaked code."
The sample, which targets users of Apple's Mac operating system, was uploaded to the online malware repository VirusTotal at the beginning of February. Claud Xiao, a researcher at Palo Alto Networks, told me he noticed the sample last week and passed it on to Pedro Vilaça, a researcher at SentinelOne who specializes in Mac malware. After analyzing it, Vilaça concluded that it was most likely made by Hacking Team.
According to both Vilaça and Patrick Wardle, a security researcher who works for the security firm Synack and has also analyzed the sample, while this is a new version, it doesn't have any new major upgrades since the hack.
"They are still doing business with all the leaked code," Vilaça told me in an online chat. "If they were already bad before the leak, with all the source code leaked, that's pretty bad."
After the hack on its own computers, Hacking Team said that it had been working on a new version of its hacking and spying suite Remote Control System, or RCS, for months. Hacking Team CEO David Vincenzetti called this yet-to-be-released version a "brand new and totally unprecedented cyber investigation solution" in an email sent to his mailing list.
Based on his analysis, however, Vilaça is skeptical of Hacking Team's claims. If they had really been working on new code, that would have been leaked too, he told me.
"It makes no sense. They were hacked to the bone, and they had the new code highly protected, but nothing else? Not very plausible," he said.
This new sample is dated October 2015, a few months after the hack. It's possible that after the breach, when antivirus companies updated their systems to detect its malware, Hacking Team made it a priority to make its products invisible again, without implementing new code. (Hacking Team did not respond to a request for comment.)
"They are lame. But it's still effective."
Alberto Pelliccione, a former Hacking Team employee who used to head their Android malware division, said he agreed with Vilaça's analysis of the Mac malware.
"Same as usual. [Hacking Team] just repackaged the malware to avoid detection [by antivirus products]," he told Motherboard in an online chat. "They did the least amount of effort to get it back out. You can tell there hasn't been a real effort to do much more."
Yet, when the sample was uploaded to VirusTotal, no antivirus detected it as malware.
"They are lame," Vilaça added. "But it's still effective."
After the attention it got from security researchers, it seems antivirus companies have started to pick up on it. At the time of publication, ten antivirus services detect it, according to VirusTotal.