More than six months after the infamous surveillance firm Hacking Team disappeared in the wake of a massive breach on its own network, it seems the Italian software company is prepping a return to the game.
Security researchers have found new OS X malware in the wild that they believe has been developed by Hacking Team. The malware, researchers note, installs a copy of the software firm's Remote Code Systems compromise platform, leading them to believe that the infamous, controversial Italian firm is back.
The malware in question installs different programs on a computer. "The dropper is using more or less the same techniques as older Hacking Team RCS samples, and its code is more or less the same," wrote security researcher Pedro Vilaca.
The Hacking Team suffered a massive breach on its network last July. The hack saw over 400GB of data including sensitive information such as firm's relationship with governments, emails, source code, and exploits published online. The group has been mysteriously quiet since. "Either this is an old sample or HackingTeam are still using the same code base as before the hack," Vilaca wrote.
The sample was uploaded on Google-owned VirusTotal last month, and at the time, no popular antivirus program was able to detect it. At the time of writing, 15 antivirus programs including AVG, Eset-Nod 32, F-Secure, BitDefender, and TrendMicro were able to detect it.
Patrick Wardle of Synack security firm believes that the installer was last updated in October or November last year. He added that the sample of malware utilises most of the same code as old Hacking Team malware.
"I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code," Vilaca wrote. "Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction."
Many questions remain unanswered for now. It is not clear how this malware gets installed on a system. Wardle, however, has found out a way to check if your Mac is infected with it. He urges users to check for a file "Bs-V7qIU.cYL" in a folder called "~/Library/Preferences/8pHbqThW/ directory."