What Is It?

HackingTeam is an Italian-based purveyor of spyware which became notorious for selling its main surveillance tool, Remote Control System (RCS), to nation states with a dubious record of human rights issues, as well as various intelligence and law enforcement agencies. In July 2015, HackingTeam itself was hacked, resulting in the release of over 400GB of internal data, including emails, customer lists and RCS’s source code. The hackers also gained access to the official HackingTeam Twitter account, which they used to publicly announce the hack and provide links to the data. The data revealed that HackingTeam’s employees used poor passwords including “P4ssword”.

In the wake of the data breach, HackingTeam was forced to request its customers discontinue using the RCS product, which cast doubt on the continuing viability of the company. Research done by Slovakia-based security company ESET describes samples of RCS that were created between September 2015 and October 2017 and run on Microsoft Windows. Similarities in coding style and other factors, which they have chosen not to make public, led ESET to be “fully convinced” that these new variants are from HackingTeam and not created by other actors utilizing the previously released source code.

The samples make use of VMProtect, which describes itself as “software protection against reversing and cracking.” Eset found no major advances in functionality when compared to earlier variants, which include capabilities for extracting files, intercepting emails and instant messages and covertly activating webcams and microphones. In at least two cases, they found the samples attached to emails where the filename utilized multiple file extensions in order to attempt to spoof an executable file as a PDF.

So far these new variants have been detected in 14 unnamed countries. There is no valid reason for these samples to be present on a corporate network, and their presence may indicate industrial espionage or other compromise.

How Does It Propagate?

The malware does not self-propagate. It has been observed attached to spear phishing emails as an executable file, attempting to appear as a PDF file. This again highlights the importance of user education and awareness programs as a component of overall security protections.

When/How Did BluVector Detect It?

Nine samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown all samples would have been detected by all previous MLE models. Owing to differing times the samples have been available in the wild, they would have been detected between 21 and 50 months prior to their release.