Facebook query packs detects Hacking Team malware on Mac OS X

Facebook releases query packs for finding possible malware infection, including the malicious exploits used by the Hacking Team to hack Mac OS X.

The Hacking Team hack revealed to the IT industry the “weapons” used by the Italian firm to compromise practically every system. Security experts who analyzed the material leaked online discovered the exploits used by the surveillance firm to hack its targets and serve its RCS surveillance malware.

While researchers at Rook Security have released the free tool Milano that is able to detect the presence of HackingTeam malware on target systems, Facebook announced the distribution of some “query packs” for detecting Hacking Team spyware on Mac OS X systems.

Facebook is going to release on its code page query packs that would allow experts to search for signs of Hacking Team infection on Mac OX X systems.

“Query packs help you group queries by function or problem domain into files that are easy to download, distribute, and update. Network security monitoring has had this concept for ages (e.g., Emerging Threats), and now we’re bringing it to a free, performant host instrumentation platform. Query packs utilize osqueryd’s existing query scheduler. As queries within the pack are executed on a defined, configurable interval, so you’ll receive data differentials and alerts for changes that matter to you.” reports the Facebook code page.

The query packs, released by Facebook as part of its security defenses measures, could be used by administrators to collect data on the network status and ask questions to uncover potential security threats.

Facebook has recently provided an update to extend protection against some critical Apple Mac and iPhone vulnerabilities.

“Attackers continue to develop and deploy Mac OS X backdoors. We’ve seen this with Flashback, IceFog, Careto, Adwind/Unrecom, and most recently, HackingTeam. The OS X-attacks pack has queries that identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, it means a host in your Mac fleet is compromised with malware. This pack is high signal and should result in close to zero false positives.” states Facebook in a blog post under the section “Mac OS X attacks”.

Security experts can create their own whilst query packs to bunch specific sets of questions for datasets, including ones related specifically for Mac OS X machines.

Javier Marcos, a security engineer at Facebook, explained that the query pack includes commands that is able to detect Hacking Team intrusion of targeted Mac OS X systems.

For the recent HackingTeam OS X backdoor, here are some queries we include that can help identify its presence in your infrastructure:

select * from file where path = '/dev/ptmx0';

select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';

select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';

Facebook users can simply create their own queries to identify other cyber threats menacing their systems.

Pierluigi Paganini

(Security Affairs – Facebook, Hacking Team)