Hacking Team may be making a comeback with the new Mac OS X malware

A recently discovered new OS X malware sample suggests that it may be coming from Hacking Team, the controversial Italian company that sells surveillance software to governments. The exploit seller is returning to the market after a disastrous cyberattack, wherein their data was spilled into public hands including the source code for all of their software.

According to the security researchers, the new found OS X malware in the wild is likely a new version of Hacking Team’s old Mac malware. The sample, according to them, is mostly made of the same code as the old Hacking Team malware for Mac OS X, but has new components that help it stay undetected.

The researchers also note that the malware installs a copy of the software firm’s Remote Code Systems (RCS) compromise platform, leading them to believe that the infamous, controversial Italian firm is back.

The malware in question installs different programs on a computer. This time the malware is a “dropper”, which is used to plant other software onto a computer and appears to install the Hacking Team’s RCS. “The dropper is using more or less the same techniques as older Hacking Team RCS samples, and its code is more or less the same,” wrote security researcher Pedro Vilaca.

The Hacking Team had suffered a massive breach on its network last July where almost 400GB of data including sensitive information such as the firm’s relationship with governments, emails, source code, and exploits were published online. The group has been mysteriously quiet since. “Either this is an old sample or HackingTeam are still using the same code base as before the hack,” Vilaca wrote. The group has also been accused in the past by privacy and human rights groups of selling its software to governments with poor human rights records.

Earlier this month, a new OS X-based Trojan sample dubbed “Morcut” was uploaded to Google-owned VirusTotal, and at the time, no popular antivirus program was able to detect it. Until now, 15 antivirus programs including AVG, Eset-Nod 32, F-Secure, BitDefender, and TrendMicro were able to detect it.

Patrick Wardle of Synack security firm believes that the installer was last updated in October or November last year. He added that the sample of malware utilises most of the same code as old Hacking Team malware.

“I just found some unique code in this dropper. This code checks for newer OS X versions and does not exist in the leaked source code,” Vilaca wrote. “Either someone is maintaining and updating HackingTeam code (why the hell would someone do that!?!?!) or this is indeed a legit sample compiled by HackingTeam themselves. Reusage and repurpose of malware source code happens (Zeus for example) but my gut feeling and indicators seem to not point in that direction.”

It is unclear how this malware gets installed on a system. However, Wardle has figured out a way to check if your Mac is infected with it.

Here’s how you can check if you are affected:

• To check if you are infected look for Bs-V7qIU.cYL or _9g4cBUb.psr which is dropped into the ~/Library/Preferences/8pHbqThW/ directory.
• If you do find any of these codes then delete that entire directory, and remove the~/Library/LaunchAgents/com.apple.FinderExtAvt.plist file.