In the middle of last year, the Italian group HackingTeamit had its servers hacked and more than 1 million email messages and a total of 400GB of confidential information leaked on the internet, practically leading to its extinction. Known for its ability to deliver malware as a service, the organization returned to the news this week, thanks to analyzes of a sample of malicious software discovered for OS X.
The sample was analyzed by researcher Pedro Vilaa, who found references to the source code of the remote execution service used by HackingTeam, through reverse engineering. According to analysis by Vilaa and Patrick Wardle, another researcher known for studying malware for Macs, the new worm it actually installs well-known services authored by the Italian group, although they do not have much differentiation from those that were revealed as a result of its leak, which occurred in July.
It has also been recognized by the VirusTotal service, maintained by Google. Of the 55 known antiviruses on the market that have scanners supported by the company, 13 already have signatures that recognize it as a threat. Despite this, the malware proved to be able to circumvent OS X protections to hide from users, including using a static key normally used by Apple, to protect its content.
For now, it is not yet known how this sample of malicious software can be installed on Macs. The researchers suggest that it can be used in legitimate applications, which users can be tricked into installing, or inexploits that can carry malicious codes. In both cases, it is already recognized for installing its files in a directory located in the user's own authenticated files on the system (~ / Library / Preferences / 8pHbqThW /), making it easy to recognize them for removal.
Vulnerability in Silverlight
On a related note, some malicious sites were recognized using another attack tactic discovered by HackingTeam, based on a vulnerability in the Silverlight plugin already fixed by Microsoft. It is also capable of loading the Italians 'remote execution service onto the users' machine, as well as any other malicious code.
In this case, however, mitigating the risks does not get to be a lot of work: the plugin has not even gained attention from developers in new projects, its biggest endorser, Netflix, has become a secondary player in favor of an HTML5 player, almost two years ago, twisting it from any computer in use poses no problem. Especially since, if you are a user of Google Chrome, you can no longer use it since January last year.