Hacking

Hacking Team is back … probably it never stopped its activity. Watch Out!

ESET collected evidence of Hacking Team ‘activity post-hack, the company published an interesting analysis based on post hack samples found in the wild.

Security researchers at ESET have spotted in fourteen countries previously unreported samples of the Remote Control System (RCS), the surveillance software developed by the Italian Hacking Team, in fourteen countries.

Malware researchers that analyzed the sample believe that the Hacking Team developers are continuing the development of the surveillance malware.

Since 2003, Hacking Team gained notoriety for selling surveillance tools to governments and intelligence agencies, but human rights research group criticized its alleged sales to the authoritarian regimes.

The Remote Control System (RCS) is a sophisticated spyware that is able to transform the device in a surveillance tool by activating the webcam and microphone, extracting information from a targeted device, and intercepting emails and instant messaging.

The company made the headlines in July 2015 when it suffered a major security breach and attackers exfiltrated 400GB of internal data, including the spyware source code.

After the hack, Hacking Team was forced to request its customers to stop all the operation and don’t use the spyware.

“The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild.” states the analysis published by ESET.

“A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.”

The experts started the investigation after researchers from the Citizen Lab provided them information that led to the discovery of a version of the RCS software signed with a previously unseen valid digital certificate.

The researchers uncovered many samples of Hacking Team spyware created after the 2015 data breach, their code implements some changes compared to variants released before the source code leak.

“The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.” continues the analysis.

“Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.”

ESET found six different certificates issued in succession, four of them were issued by Thawte to four different companies, and two were issued to the Hacking Team co-founder Valeriano Bedeschi and a guy named Raffaele Carnacina.

The samples analyzed have forged Manifest metadata to trick users into believing that they are using legitimate applications such as “Advanced SystemCare 9 (9.3.0.1121)”, “Toolwiz Care 3.1.0.0” and “SlimDrivers (2.3.1.10)”.

To avoid detection vxers behind the samples have been using VMProtect, a technique observed also in Hacking Team spyware used before the HT hack.

The researchers believe that Hacking Team developers have developed the post-leak samples and no other APT that would have borrowed their code,

“We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.” continues ESET.

“The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.”

The samples analyzed continues the versioning progression used in pre-leak samples, experts also noticed that the same names (Scout and Soldier) in the samples that were also present in past codes.

The researchers also discovered a subtle difference between the pre-leak and the post-leak samples is the difference in Startup file size. They pointed out that before the leak, the size of the copied file is 4MB, meanwhile, in the post-leak samples this file copy operation is padded to 6MB, most likely as a primitive detection evasion technique.

In the following table, there is the timeline associated with Hacking Team Windows spyware samples. The red item is the code reuse attributed to the Callisto APT Group.

The experts found further differences that led them to attribute the new sample to the original HT development team, but they avoided to disclose them to continue to track the group.

The post-leak samples analyzed by the researchers, at least in two cases, were delivered in spear phishing message with an executable file disguised as a PDF document.

“Furthermore, our research has confirmed that the changes introduced in the post-leak updates were made in line with Hacking Team’s own coding style and are often found in places indicating a deep familiarity with the code.” concludes ESET.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code.”

[adrotate banner=”9″] [adrotate banner=”12″]

 Pierluigi Paganini

(Security Affairs – Hacking Team,  RCS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

56 mins ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.