HackingTeam, a controversial Italian company that sells surveillance software to governments, may have released a malware dangerous for all of Apple's Mac machines. The same company was hacked to humiliation last year when their data was spilled into public hands including the source code for all of their software.
The malware this time is a "dropper", which is used to plant other software onto a computer and appears to install the HackingTeam's Remote Control System (RCS). The dropper, according to OS X security expert Pedro Vilaca, is using more or less the same techniques as older Hacking Team RCS samples, and its code is almost what it was prior to their hack last year.
Vilaca says by the looks of it this comeback mostly relies on an old, largely unexceptional source code, despite the group vowing in July that it would return with a new code. It is not clear how this malware gets installed on a system, but it uses an anti-debugging trick to make analysis by security researchers more difficult.
Detailing the potential threat Vilaca explains in his blog: "I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code. Either someone is maintaining and updating HackingTeam code or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction."
The HackingTeam had suffered a massive breach on its network in July 2015 where almost 400GB of data including sensitive information such as the firm's relationship with governments, emails, source code, and exploits were published online. It has also been accused in the past by privacy and human rights groups of selling its software to governments with poor human rights records.
The present threat lurks around OS X which is the second most widely used desktop OS after Windows. All of Apple's Mac computers run on this OS.
How to check if you are affected?
- To check if you are infected look for Bs-V7qIU.cYL or _9g4cBUb.psr which is dropped into the ~/Library/Preferences/8pHbqThW/ directory.
- If you do find any of these codes then delete that entire directory, and remove the ~/Library/LaunchAgents/com.apple.FinderExtAvt.plist file.