• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Intelligence
  • Malware
  • New HackingTeam OS X RCS spyware in the wild, who is behind the threat?

New HackingTeam OS X RCS spyware in the wild, who is behind the threat?

Pierluigi Paganini March 01, 2016

A new OS X sample of the Hacking Team RCS has been detected in the wild, who is managing it? Is the HackingTeam back?

A group of malware researchers has discovered a new strain of Mac malware undetected my most security firm, but more  intriguing is the speculation that the malicious code may have been developed by the Italian security firm HackingTeam.

Pedro Vilaça, a security researcher at SentinelOne, has published an interesting post titled “The Italian morons are back! What are they up to this time?” that analyzes a sample of OS X RCS recently received by the expert. Remote Control System, aka RCS, is the surveillance software developed by the Italian firm and used by a large number of government and intelligence agencies worldwide.

Hacking Team RCS alleged clients

The sample was uploaded on February 4 to the VirusTotal which at the time confirmed that the malware wasn’t detected, meanwhile at the time I’was writing it has a detection rate of 15/55.

HackingTeam Mac OS RCS 2016 Virus Total

The analysis of the new sample received by Vilaça revealed that the installer was last updated in October or November, and the configuration date for this sample is October 2015, a few months after the HackingTeam hack.

“First we locate the configuration file encryption key and then decrypt it. There we can find the configuration dates for this sample, 2015-10-16, confirming that this is indeed a post hack sample. The C&C server IP for this sample is 212.71.254.212. It’s already down and I didn’t verified if it was up before starting to tweet about this sample on last Friday” states Vilaça.

Still,Vilaça used the Shodan search engine and VirusTotal to perform further researches on the C&C server, he discovered that the machine referenced by this OS X RCS sample was still active in January.

What happened to HackingTeam after the clamorous data breach? At the time they promised to release a new version that they were telling was not affected by the hack. Is this really true?

The company announced to release a new version of its surveillance software, but the analysis of the source code of this new sample suggests that is has been compiled out of the leaked source code base, and apparently it hasn’t introduced new improvements.

“I can guarantee you that this sample code is coming from that code base, up to the last commit (there are probably newer commits after the leak). HackingTeam appears to have resumed their operations but they are still using their old source code for this. Of course there is a question of are they using both old and the new promised source code or were they just lying about it and resumed operations with old code since they are probably on a shortage of engineering “talent”? This is definitely a question their customers will have to ask them ;-).” continues the expert.

The expert concluded that the new strain of Mac malware is a very fresh sample that demonstrates that the HackingTeam is still alive and that is is operating under cover.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have show us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another interesting analysis of this new sample of the RCS spyware has been published by Patrick Wardle, a cyber security expert at Synack. Wardle explained that the new sample is based on the old HackingTeam RCS code, but implements sophisticated techniques to evade detection and analysis.

Last summer, at Blackhat Wardle gave a presentation entitled Writing Bad @$$ Malware for OS X that provided suggestions as to how OS X malware could be improved, including the use of Apple’s native encryption scheme to protect malicious binaries.

“Diving in, the first thing we notice is that it is encrypted with Apple’s native OS X encryption scheme.” wrote Wardle. “… it’s nice to finally see some OS X malware that uses Apple’s native OS X encryption scheme, as well as custom packers. “

The expert noticed that the installer was “packed” with this technique to make hard reverse engineering and analysis.

At this point, there are two hypotheses on the origin of the sample:

  • Someone is maintaining and updating the code leaked in the HackingTeam hack.
  • HackingTeam is back, but it is still using old RCS code with a few improvements.

Let me close with the last update provided by Vilaça in his analysis.

“I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code. Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction.”

Pierluigi Paganini

(Security Affairs –  Hacking Team, OS X RCS)


facebook linkedin twitter

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT