Researchers found new Mac malware on HackingTeam

Researchers found new Mac malware on HackingTeam

 

Researchers found a newly developed Mac malware on HackingTeam, a result of speculation. Since last July, this notorious malware has caused the outflow of private emails and source code from several Gbytes groups, and now the author of this software has appeared again in the public field.

A large amount of leaked information exposes the most private moments of the Hacking Team in chaos. The CEO of the company joked last month: imagine explaining the most evil Technology on Earth.

In July February 4, the sample was uploaded to Google's VirusTotal scan server, which was not detected by any major anti-virus programs. 10 out of 56 audio and video services were detected in the report on Monday of this week. SentinelOne security researcher Pedro Vila? A released technical analysis on Monday morning. The installation program was last updated on July 15, or later. The embedded encryption key was updated on July 15, that is, three months after HackingTeam intrusion. The sample is installed with a HackingTeam signature remote code system intrusion platform, which causes Vila? A came to the conclusion that, despite the Group's commitment to returning to new code in May, the recovery of Device Configuration relies mostly on general source code.

Vila? A wrote: HackingTeam is still very active. Just like the email leak, we still don't help. If you do not know about reverse engineering of OS X malware, it is a good practice sample. I already have answers to my most concerned questions, and I will not be interested in other things. I will not remember these people after the leak.

According to the samples tested by Patrick Wardle, a Mac security expert of Synack, a new version of HackingTeam requires some advanced technologies to avoid detection and analysis. For example, Apple's local encryption program is used to protect the directories of binary files and make them a malicious implant installer that Wardle once performed. However, Wardle cannot crack encryption, because Apple uses a static hard-coded key-using these text defenses to guard against it, please do not steal AppleC-this is a long-known thing of reverse engineering experts. Even so, he still finds that the installer is limited by numbers. This also limits the different types of reverse engineering and analysis he wants to perform.

The sample still leaves many unsolved problems. For example, the installation of malware is still unclear. One possibility is to spoof the target to install benign application files. Another possibility is that the installation is secretly bundled. People who want to know if Mac is infected will check ~ The document named Bs-V7qIU.cYL in the/Library/Preferences/8 pHbqThW/directory.

Vila? A said he could not be sure that the new sample was the result of HackingTeam. Since, GB of data including Remote Code Systems source Code was cracked, other people or groups may recompile the Code and release it to the new installer. But Vila? A said evidence from the Shodan investigation center and VirusTotal's IP address scan showed that the commands and control servers mentioned in the sample were active again in May. That is to say, new malware is not just a scam.