ESET: Hacking Team deploys new malware sample in 14 countries
According to ESET researchers, a cybersecurity company, the Italian spyware group, Hacking Team seems to have relaunched the development of its surveillance tool, the Remote Control System (RCS), and new samples have been tested in 14 countries around the world.
Hacking Team was originally a legitimate software developer headquartered in Italy. Since its establishment in 2003, the company has notoriously sold its monitoring tools to numerous governments and agencies around the world.
Its remote control system (RCS) has many features, including extracting files from target devices, blocking email and instant messaging, and remotely activating the device’s webcam and microphone. The company has long been criticized for selling these capabilities to authoritarian regimes, but the company has consistently rejected this accusation.
In July 2015, the company suffered a major data breach. Internal files over 400GB in size were exposed online, including a once-secret client list, internal communications records, and source code for its monitoring tools.
After the leak occurred, the company had warned that cybercriminals may use their leaked source code to carry out malicious activities. This proved to be the case, and a hacker group called “Callisto” used the leaked RCS source code to launch an attack on the British Foreign Office in April 2016.
ESET stated that although the RCS source code was indeed exploited by other organizations due to leaks, it is only code reuse. The newly discovered multiple sample code shows a certain degree of modification compared with the original code.
All of these samples were compiled from September 2015 to October 2017. According to ESET’s telemetry data, these compilation dates are real because these samples did appear in actual attacks during the days following the displayed assembly date.
After further analysis, ESET concluded that all samples can be traced back to a single organization rather than a separate version that was constructed by different organizations based on leaked source code.
An important indicator to support this conclusion is the sequence of digital certificates used to sign the sample. ESET has found six different certificates, four of which were issued by Thawte to four different companies, and the other two were issued to Valeriano Bedeschi (co-founder of Hacking Team) and a personal certificate named “Raffaele Carnacina”. Book, as shown in the table below:
| Certificate issued to | Validity period |
|---|---|
| Valeriano Bedeschi | 8/13/2015 – 8/16/2016 |
| Raffaele Carnacina | 9/11/2015 – 9/15/2016 |
| Megabit, OOO | 6/8/2016 – 6/9/2017 |
| ADD Audit | 6/20/2016 – 6/21/2017 |
| Media Lid | 8/29/2016 – 8/30/2017 |
| Ziber Ltd | 7/9/2017 – 7/10/2018 |
These samples also forged Manifest metadata for disguising legitimate software. For example, “Advanced SystemCare 9 (9.3.0.1121)”, “Toolwiz Care 3.1.0.0” and “SlimDrivers (2.3.1.10)”.
ESET’s analysis further showed that the developers of the new sample used the software protection system VMProtect to keep the samples from being discovered. This software protection system is common in the monitoring tools of the Hacking Team. In addition, the new sample also contains a number of payload naming conventions used by Hacking Team, such as “Scout” and “Soldier”.
ESET pointed out that they also found more evidence that the Hacking Team was involved in the development of these samples. However, due to fear that too much detail disclosure may interfere with future tracking of the organization, they will not publicly display all the evidence at this stage. However, they said they are willing to share these details with other researchers and provide contact information.
Source: welivesecurity
