Archive for May, 2013


Spyware. HackingTeam…..

May 9, 2013



HackingTeam first caught our attention back in 2011, when WikiLeaks released documents describing the functions of the spyware programs the company offers to government agencies in 2008.

In early 2012, Kaspersky Lab experts detected malicious programs running on Windows that were suspiciously similar to the programs described on WikiLeaks, and with Remote Control System, the description of which was published on the company’s official website However, at the time, we had no way of knowing about the connections between the threats that were detected (Kaspersky Lab detects them as Korablin) and the HackingTeam spyware program.

The program’s description from HackingTeam’s website

That all changed in July 2012, when many antivirus companies received an email with an example of malicious code for Mac OS X with the same functions.

Our email address received this email on July 24, 2012 at 05:51:24 MSK. The subject line was empty, and there was no text — just an attachment called The attachment had a self-signed JAR-file containing a program written for Mac OS X.

The header of the email was addressed to

Soon, nearly all antivirus companies had added detection of this new malware, and each company named it differently (Crizis, DaVinci, Boychi, etc. — Kaspersky Lab named it ‘Morcut’). Nearly all antivirus companies suspected that the program was developed by HackingTeam, which sells specialized tracking software to law enforcement agencies in a number of countries.


The fact that the functions are similar is just one of three circumstantial pieces of evidence linking HackingTeam to the files that were analyzed. Let’s take a look at the other two.

The data overhead in the Mac file contained the names of files and modules that the authors used when writing the program code. These names were also seen several times with “RCS”, which coincides with the abbreviation of the Remote Control System name (this abbreviation is used by HackingTeam in its promotional materials and its own description of the program on their website).

P/s:- This article is an excerpt from Securelist form Kaspersky Lab. Hope you all enjoy reading it…!