The Hacking Team is back to developing spyware as previously unreported samples of its infamous surveillance tool, the Remote Control System (RCS), were spotted in the wild throughout fourteen countries, according to ESET researchers.
The RCS features include the ability to extract files from a target's device, intercept emails and instant messages, and remotely activate webcams and microphones.
Researchers choose not to name the countries to prevent potentially incorrect attributions based on the detections, but said the recently spotted malware is indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, according to a March 9 ESET blog post.
Researchers uncovered several samples of Hacking Team's spyware created after the 2015 hack, all of which had been slightly modified compared to variants released before the source code leak.
The changes introduced in the post-leak updates were made in line with Hacking Team's own coding style and are often found in places indicating a deep familiarity with the code making it unlikely that another threat actor created the newer version, the post said.
Researchers said its highly unlikely that that anyone other than the original Hacking Team developer(s) – would make changes in exactly the places when creating new versions from the leaked Hacking Team source code.
The samples were compiled between September 2015 and October 2017 and were deemed to be authentic based on telemetry data indicating the appearance of the samples in the wild within a few days of those dates, researchers said. .
“One indicator supporting this is the sequence of digital certificates used to sign the samples – we found six different certificates issued in succession,” researchers said in the report. “Four of the certificates were issued by Thawte to four different companies, and two are personal certificates issued to Valeriano Bedeschi (Hacking Team co-founder) and someone named Raffaele Carnacina”
The spyware also had forged Manifest metadata used to masquerade as a legitimate application in common appearing as Advanced SystemCare 9 (18.104.22.1681),” “Toolwiz Care 22.214.171.124” and “SlimDrivers (126.96.36.199),” the post said.
Craig Young, computer security researcher for Tripwire told SC Media that its interesting that Hacking Team would keep developing RCS as opposed to starting fresh with something that would not be tied back to them.
"It is also somewhat interesting (although not surprising) that Hacking Team still has a customer base after failing to protect their own systems," Young said. “Hacking Team malware is somewhat unique in that it is intended for law enforcement and intelligence gathering operations."
He went on to say that it is interesting for people to be aware that sometimes law enforcement and intelligence agencies use the same tactics as criminals.