logo
 
  1. IT-Security >
  2. Cyber Security Nachrichten >
  3. New Hacking Team Spyware Samples Detected: ESET


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

New Hacking Team Spyware Samples Detected: ESET


IT Security Nachrichten vom | Direktlink: feedproxy.google.com Nachrichten Bewertung

New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.

Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to governments worldwide. In 2015, the firm was hacked, which led to 400GB of internal data being leaked online, including a list of customers, internal communications, and spyware source code.

Not only did the incident expose Hacking Team’s activities and force it to ask customers to suspend all use of RCS, but it also resulted in various actors using the leaked code and exploits as part of their own malicious operations.

Following the data breach, the Hacking Team was facing an uncertain future, but the first reports of it resuming activity came only half a year later, when a new sample of the firm’s Mac spyware apparently emerged. In the meantime, the firm has received an investment by a company named Tablem Limited, which is officially based in Cyprus but appears to have ties to Saudi Arabia.

Hacking Team’s top product, RCS, is a tool that packs all the functionality one would expect from a backdoor: it is capable of extracting files from a targeted device, intercepting emails and instant messaging, and remotely activating the webcam and microphone.

The newly discovered RCS samples, ESET says, were compiled between September 2015 and October 2017 and can be traced to a single group, rather than being built by various actors from the leaked source code. Furthermore, they have been signed with a previously unseen valid digital certificate, issued by Thawte to a company named Ziber Ltd.

The new variants include forged Manifest metadata to masquerade as a legitimate application and their author used VMProtect in an attempt to add detection evasion to them, a feature “common among pre-leak Hacking Team spyware,” ESET points out.

What suggests that these samples might have been built by the Hacking Team developers themselves includes the versioning, which continues from where Hacking Team left off before the breach and which follows the same patterns. ESET also discovered that changes introduced in the post-leak updates fall in line with Hacking Team’s coding style and show deep familiarity with the code.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code,” the security company says.

The researchers also discovered a subtle difference in Startup file size. In the samples before the leak, the file copy operation was padded to 4MB, while in the post-leak variants it is padded to 6MB.

The spyware’s capabilities remained the same, with no significant update released to date, although the firm said after the leak that it would push a new solution. In two different cases, the observed distribution vector was an executable file disguised as a PDF document and sent to the victim via a spear-phishing email.

“Our research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve analyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, such as in the case of Callisto Group in 2016,” ESET says.

The security firm claims the new Hacking Team spyware samples have been already detected in fourteen countries, but decided not to disclose the names of those countries. Furthermore, the company kept other newly uncovered details secret, to prevent interference with the future tracking of the group.

Related: Hacking Team Flash Player Exploit Used to Target Japanese Organizations

Related: Surveillance Software Firm Hacking Team Suffers Data Breach

...

http://feedproxy.google.com/~r/Securityweek/~3/ZT62lUPG0Fs/new-hacking-team-spyware-samples-detected-eset

Externe Webseite mit kompletten Inhalt öffnen

Kommentiere zu New Hacking Team Spyware Samples Detected: ESET






➤ Ähnliche Beiträge

  • 1.

    New Hacking Team Spyware Samples Detected: ESET

    vom 291.71 Punkte ic_school_black_18dp
    New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns. Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to gov
  • 2.

    Announcing ML.NET 1.4 Preview and Model Builder updates (Machine Learning for .NET)

    vom 176.24 Punkte ic_school_black_18dp
    We are excited to announce ML.NET 1.4 Preview and updates to Model Builder and CLI. ML.NET is an open-source and cross-platform machine learning framework for .NET developers. ML.NET also includes Model Builder (a simple UI tool) and CLI to make
  • 3.

    Announcing ML.NET 0.8 – Machine Learning for .NET

    vom 165.55 Punkte ic_school_black_18dp
    ML.NET is an open-source and cross-platform framework (Windows, Linux, macOS) which makes machine learning accessible for .NET developers. ML.NET allows you to create and use machine learning models targeting scenarios to achieve common tasks such as se
  • 4.

    Team Safety with the Fist to Five method

    vom 108.09 Punkte ic_school_black_18dp
    The success of any agile team is built on the shoulders of it’s individuals and their ability to work as a team. Those individuals need to feel safe to express their ideas and thoughts without other members passing judgement on each other. For every gr
  • 5.

    TWC9: Ninja on Mixer, WSL 2 Updates, Docs Samples Browser and more | This Week On Channel 9

    vom 106.72 Punkte ic_school_black_18dp
    This week on Channel 9, Christina is back with the latest developer news including: [00:18] Christina's Shirt [00:41] NINJA on Mixer [01:08] WSL 2 Updates [02:03] Docker for Desktop WSL Technical Previewand Scott Hanselman's blog with his thoughts [03:05] Docs.Microsoft.com Samples Browser and you can
  • 6.

    Announcing ML.NET 1.2 and Model Builder updates (Machine Learning for .NET)

    vom 101.26 Punkte ic_school_black_18dp
    We are excited to announce ML.NET 1.2 and updates to Model Builder and the CLI. ML.NET is an open-source and cross-platform machine learning framework for .NET developers. ML.NET also includes Model Builder (a simple UI tool for Visual Studio) and the
  • 7.

    Announcing .NET Core 3.0

    vom 97.64 Punkte ic_school_black_18dp
    Announcing .NET Core 3.0 We’re excited to announce the release of .NET Core 3.0. It includes many improvements, including adding Windows Forms and WPF, adding new JSON APIs, support for ARM64 and improving performance across the board. C# 8 is als
  • 8.

    Announcing ML.NET 1.4 general availability (Machine Learning for .NET)

    vom 97.32 Punkte ic_school_black_18dp
    Coinciding with the Microsoft Ignite 2019 conference, we are thrilled to announce the GA release of ML.NET 1.4 and updates to Model Builder in Visual Studio, with exciting new machine learning features that will allow you to innovate your .NET applicat
  • 9.

    Internet Provider Redirects Users in Turkey to Spyware: Report

    vom 96.19 Punkte ic_school_black_18dp
    Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals. Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab lau
  • 10.

    Internet Provider Redirects Users in Turkey to Spyware: Report

    vom 96.19 Punkte ic_school_black_18dp
    Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals. Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab lau
  • 11.

    MMD-0037-2015 - A bad Shellshock & Linux/XOR.DDoS CNC "under the hood"

    vom 93.94 Punkte ic_school_black_18dp
    The background Yesterday was a hectic day when we gathered to check all recent ELF threats cross-fired in the internet traffic when I was informed of a recent shellshock attack. Seeing the command pattern of the one-liner shell executed script used I knew
  • 12.

    Exploding Bill of Materials using Graph Shortest Path | Data Exposed

    vom 93.18 Punkte ic_school_black_18dp
    In this demo, we will show how you can explode a Bill of Materials using Graph Shortest Path function, introduced with SQL Server 2019 CTP3.1, to find out which BOMs/assemblies a given product/part belongs to. This information can be useful for reporting or