• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Intelligence
  • Malware
  • New HackingTeam OS X RCS spyware in the wild, who is behind the threat?

New HackingTeam OS X RCS spyware in the wild, who is behind the threat?

Pierluigi Paganini March 01, 2016

A new OS X sample of the Hacking Team RCS has been detected in the wild, who is managing it? Is the HackingTeam back?

A group of malware researchers has discovered a new strain of Mac malware undetected my most security firm, but more  intriguing is the speculation that the malicious code may have been developed by the Italian security firm HackingTeam.

Pedro Vilaça, a security researcher at SentinelOne, has published an interesting post titled “The Italian morons are back! What are they up to this time?” that analyzes a sample of OS X RCS recently received by the expert. Remote Control System, aka RCS, is the surveillance software developed by the Italian firm and used by a large number of government and intelligence agencies worldwide.

Hacking Team RCS alleged clients

The sample was uploaded on February 4 to the VirusTotal which at the time confirmed that the malware wasn’t detected, meanwhile at the time I’was writing it has a detection rate of 15/55.

HackingTeam Mac OS RCS 2016 Virus Total

The analysis of the new sample received by Vilaça revealed that the installer was last updated in October or November, and the configuration date for this sample is October 2015, a few months after the HackingTeam hack.

“First we locate the configuration file encryption key and then decrypt it. There we can find the configuration dates for this sample, 2015-10-16, confirming that this is indeed a post hack sample. The C&C server IP for this sample is 212.71.254.212. It’s already down and I didn’t verified if it was up before starting to tweet about this sample on last Friday” states Vilaça.

Still,Vilaça used the Shodan search engine and VirusTotal to perform further researches on the C&C server, he discovered that the machine referenced by this OS X RCS sample was still active in January.

What happened to HackingTeam after the clamorous data breach? At the time they promised to release a new version that they were telling was not affected by the hack. Is this really true?

The company announced to release a new version of its surveillance software, but the analysis of the source code of this new sample suggests that is has been compiled out of the leaked source code base, and apparently it hasn’t introduced new improvements.

“I can guarantee you that this sample code is coming from that code base, up to the last commit (there are probably newer commits after the leak). HackingTeam appears to have resumed their operations but they are still using their old source code for this. Of course there is a question of are they using both old and the new promised source code or were they just lying about it and resumed operations with old code since they are probably on a shortage of engineering “talent”? This is definitely a question their customers will have to ask them ;-).” continues the expert.

The expert concluded that the new strain of Mac malware is a very fresh sample that demonstrates that the HackingTeam is still alive and that is is operating under cover.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have show us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another interesting analysis of this new sample of the RCS spyware has been published by Patrick Wardle, a cyber security expert at Synack. Wardle explained that the new sample is based on the old HackingTeam RCS code, but implements sophisticated techniques to evade detection and analysis.

Last summer, at Blackhat Wardle gave a presentation entitled Writing Bad @$$ Malware for OS X that provided suggestions as to how OS X malware could be improved, including the use of Apple’s native encryption scheme to protect malicious binaries.

“Diving in, the first thing we notice is that it is encrypted with Apple’s native OS X encryption scheme.” wrote Wardle. “… it’s nice to finally see some OS X malware that uses Apple’s native OS X encryption scheme, as well as custom packers. “

The expert noticed that the installer was “packed” with this technique to make hard reverse engineering and analysis.

At this point, there are two hypotheses on the origin of the sample:

  • Someone is maintaining and updating the code leaked in the HackingTeam hack.
  • HackingTeam is back, but it is still using old RCS code with a few improvements.

Let me close with the last update provided by Vilaça in his analysis.

“I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code. Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction.”

Pierluigi Paganini

(Security Affairs –  Hacking Team, OS X RCS)


facebook linkedin twitter

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT