Hacking Team is a name that many would have heard of. After all, when they were hacked during the middle of last year, the leaked documents revealed that the Malaysian government had bought spyware from them. Ever since that hack, the group has been keeping a low profile. That may be changing though, as a recent malware found on the Mac seems to feature coding from the Hacking Team itself.
A sample of this malware was first uploaded to Google’s VirusTotal scanning service at the beginning of February. Since then, a technical analysis published on Monday by SentinelOne security researcher Pedro Vilaça shows that this particular malware installs a copy of Hacking Team’s signature Remote Code Systems compromise platform. The curious thing about this malware is that the Hacking Team has said that it will be returning with new code, but the malware uses old and largely unexceptional source code.
That is not to say that the malware is made by amateurs however, as Mac security expert at Synack, Patrick Wardle, has examined the sample and concluded that is uses several advanced tricks to evade detection and analysis, even if it appears to install a new version of the old Hacking Team implant. For example, this malware uses Apple’s native encryption scheme to protect the contents of the binary file, making it the first malicious implant installer Wardke has ever seen to do so.
While the presence of Hacking Team’s code in a malware does not conclusively prove that the group are back, the malware does indicate that whoever programmed it aren’t just doing it as a hoax.
Source: Ars Technica
