The return of HackingTeam
The return of HackingTeam with new implants for OS X
Last week, Patrick Wardle published a [Only registered and activated users can see links. Click Here To Register...] of a new Backdoor and Dropper used by [Only registered and activated users can see links. Click Here To Register...], which is apparently alive and well. Since [Only registered and activated users can see links. Click Here To Register...] are built on-demand for each target, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.
Encryption key
The main Backdoor component receives its payload instructions from an encrypted Json configuration file. In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.
[Only registered and activated users can see links. Click Here To Register...]
By following this code we were able to find the new key used to encrypt the configuration file.
[Only registered and activated users can see links. Click Here To Register...]
As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key. By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:
[Only registered and activated users can see links. Click Here To Register...]
What does the implant do?
- It takes screenshots
- It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
[Only registered and activated users can see links. Click Here To Register...]
- It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
- It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
- It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
[Only registered and activated users can see links. Click Here To Register...]
Among other functionalities it also spies on the geolocation of the victim.
It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015. This indicates that this is a fresh HackingTeam Backdoor implant.
Source: [Only registered and activated users can see links. Click Here To Register...]
