What Is It?
HackingTeam is an Italian-based purveyor of spyware which became notorious for selling its main surveillance tool, Remote Control System (RSC), to nation states with a dubious record of human rights issues, as well as various intelligence and law enforcement agencies. In July 2015, HackingTeam itself was hacked, resulting in the release of over 400GB of internal data including e-mails, customer lists and RSC’s source code. The hackers also gained access to the official HackingTeam Twitter account, which they used to publicly announce the hack and provided links to the data. The data revealed that HackingTeam’s employees used of poor passwords including “P4ssword”.
In the wake of the data breach, HackingTeam was forced to request its customers discontinue using the RSC product, which cast doubt on the continuing viability of the company. Research done by Slovakia- based security company Eset describes samples of RCS which were created between September 2015 and October 2017 and run on Microsoft Windows. Similarities in coding style and other factors, which they have chosen not to make public, led Eset to be “fully convinced” that these new variants are from HackingTeam and not created other actors utilizing the previously released source code.
The samples make use of VMProtect, which describes itself as “software protection against reversing and cracking.” Eset found no major advances in functionality when compared to earlier variants, which include extracting files, intercepting e-mails and instant messages and covertly activating webcams and microphones. In at least two cases they found the samples attached to e-mails where the filename utilized multiple file extensions in order to attempt to spoof an executable file as a PDF.
So far these new variants have been detected in 14 unnamed countries. There is no valid reason for these samples to be present on a corporate network and their presence may indicate industrial espionage or other compromise.
How Does It Propagate?
The malware does not self propagate. It has been observed attached to spear phishing e-mails as an executable file, attempting to appear as a PDF file. This again highlights the importance of user education and awareness programs as a component of overall security protections.
When/How Did BluVector Detect It?
Nine samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown all samples would have been detected by all previous MLE models, owing to differing times the samples have been available in the wild, they would have been detected between 21 and 50 months prior to their release.
About Threat Report
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.