Security researchers at ESET have spotted in fourteen countries previously unreported samples of the Remote Control System (RCS), the surveillance software developed by the Italian Hacking Team, in fourteen countries.
Malware researchers that analyzed the sample believe that the Hacking Team developers are continuing the development of the surveillance malware.
Since 2003, Hacking Team gained notoriety for selling surveillance tools to governments and intelligence agencies, but human rights research group criticized its alleged sales to the authoritarian regimes.
The Remote Control System (RCS) is a sophisticated spyware that is able to transform the device in a surveillance tool by activating the webcam and microphone, extracting information from a targeted device, and intercepting emails and instant messaging.
The company made the headlines in July 2015 when it suffered a major security breach and attackers exfiltrated 400GB of internal data, including the spyware source code.
“A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.”
The experts started the investigation after researchers from the Citizen Lab provided them information that led to the discovery of a version of the RCS software signed with a previously unseen valid digital certificate.
The researchers uncovered many samples of Hacking Team spyware created after the 2015 data breach, their code implements some changes compared to variants released before the source code leak.
“The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.” continues the analysis.
“Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.”
ESET found six different certificates issued in succession, four of them were issued by Thawte to four different companies, and two were issued to the Hacking Team co-founder Valeriano Bedeschi and a guy named Raffaele Carnacina.
The samples analyzed have forged Manifest metadata to trick users into believing that they are using legitimate applications such as “Advanced SystemCare 9 (22.214.171.1241)”, “Toolwiz Care 126.96.36.199” and “SlimDrivers (188.8.131.52)”.
To avoid detection vxers behind the samples have been using VMProtect, a technique observed also in Hacking Team spyware used before the HT hack.
The researchers believe that Hacking Team developers have developed the post-leak samples and no other APT that would have borrowed their code,
“We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.” continues ESET.
“The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.”
The samples analyzed continues the versioning progression used in pre-leak samples, experts also noticed that the same names (Scout and Soldier) in the samples that were also present in past codes.
The researchers also discovered a subtle difference between the pre-leak and the post-leak samples is the difference in Startup file size. They pointed out that before the leak, the size of the copied file is 4MB, meanwhile, in the post-leak samples this file copy operation is padded to 6MB, most likely as a primitive detection evasion technique.
In the following table, there is the timeline associated with Hacking Team Windows spyware samples. The red item is the code reuse attributed to the Callisto APT Group.
The post-leak samples analyzed by the researchers, at least in two cases, were delivered in spear phishing message with an executable file disguised as a PDF document.
(Security Affairs – Hacking Team, RCS)