Just like any regular tech company, vendors such as Hacking Team or NSO Group, which sell software designed to spy on computers and cellphones, have to convince potential customers that their product is worth the thousands of dollars, or sometimes millions, that it costs.
For that, companies often set up controlled live demos, showing the potential buyers, usually police departments and intelligence agencies, how their technology works and just how great their spyware is. Unless you are a police agent, a middleman who resells this type of software, or you’ve worked in one of these companies, you’ve probably never seen one of these demos—until today.
Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers.
The video shows an RCS Lab employee performing a live demo of the company’s spyware to an unidentified man, including a tutorial on how to use the spyware’s control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website.
RCS Lab’s spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select “inject HTML” to force the malicious popup to appear, according to the video.
Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard.
The company’s employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware.
“All this installation process is, in reality, is completely a fake. It’s sort of a movie,” the RCS Lab employee says in the video. “Because in reality, at this point, he’s already infected.”
The demo doesn’t really showcase any unprecedented hacking technique—fake Flash updates have long been a tool for cybercriminals and hackers to trick users into installing malware onto their computers—but it’s a small glimpse into how surveillance vendors try to sell their malware to governments around the world.
Want more Motherboard in your life? Then sign up for our daily newsletter.