Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New Hacking Team Spyware Samples Detected: ESET

New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.

New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.

Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to governments worldwide. In 2015, the firm was hacked, which led to 400GB of internal data being leaked online, including a list of customers, internal communications, and spyware source code.

Not only did the incident expose Hacking Team’s activities and force it to ask customers to suspend all use of RCS, but it also resulted in various actors using the leaked code and exploits as part of their own malicious operations.

Following the data breach, the Hacking Team was facing an uncertain future, but the first reports of it resuming activity came only half a year later, when a new sample of the firm’s Mac spyware apparently emerged. In the meantime, the firm has received an investment by a company named Tablem Limited, which is officially based in Cyprus but appears to have ties to Saudi Arabia.

Hacking Team’s top product, RCS, is a tool that packs all the functionality one would expect from a backdoor: it is capable of extracting files from a targeted device, intercepting emails and instant messaging, and remotely activating the webcam and microphone.

The newly discovered RCS samples, ESET says, were compiled between September 2015 and October 2017 and can be traced to a single group, rather than being built by various actors from the leaked source code. Furthermore, they have been signed with a previously unseen valid digital certificate, issued by Thawte to a company named Ziber Ltd.

The new variants include forged Manifest metadata to masquerade as a legitimate application and their author used VMProtect in an attempt to add detection evasion to them, a feature “common among pre-leak Hacking Team spyware,” ESET points out.

What suggests that these samples might have been built by the Hacking Team developers themselves includes the versioning, which continues from where Hacking Team left off before the breach and which follows the same patterns. ESET also discovered that changes introduced in the post-leak updates fall in line with Hacking Team’s coding style and show deep familiarity with the code.

Advertisement. Scroll to continue reading.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code,” the security company says.

The researchers also discovered a subtle difference in Startup file size. In the samples before the leak, the file copy operation was padded to 4MB, while in the post-leak variants it is padded to 6MB.

The spyware’s capabilities remained the same, with no significant update released to date, although the firm said after the leak that it would push a new solution. In two different cases, the observed distribution vector was an executable file disguised as a PDF document and sent to the victim via a spear-phishing email.

“Our research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve analyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, such as in the case of Callisto Group in 2016,” ESET says.

The security firm claims the new Hacking Team spyware samples have been already detected in fourteen countries, but decided not to disclose the names of those countries. Furthermore, the company kept other newly uncovered details secret, to prevent interference with the future tracking of the group.

Related: Hacking Team Flash Player Exploit Used to Target Japanese Organizations

Related: Surveillance Software Firm Hacking Team Suffers Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.