Spyware. HackingTeam…..

May 9, 2013



HackingTeam first caught our attention back in 2011, when WikiLeaks released documents describing the functions of the spyware programs the company offers to government agencies in 2008.

In early 2012, Kaspersky Lab experts detected malicious programs running on Windows that were suspiciously similar to the programs described on WikiLeaks, and with Remote Control System, the description of which was published on the company’s official website www.hackingteam.it. However, at the time, we had no way of knowing about the connections between the threats that were detected (Kaspersky Lab detects them as Korablin) and the HackingTeam spyware program.

The program’s description from HackingTeam’s website http://www.hackingteam.it/images/stories/RCS2012.pdf

That all changed in July 2012, when many antivirus companies received an email with an example of malicious code for Mac OS X with the same functions.

Our email address newvirus@kasperksy.com received this email on July 24, 2012 at 05:51:24 MSK. The subject line was empty, and there was no text — just an attachment called AdobeFlashPlayer.zip. The attachment had a self-signed JAR-file containing a program written for Mac OS X.

The header of the email was addressed to newvirus@kaspersky.com

Soon, nearly all antivirus companies had added detection of this new malware, and each company named it differently (Crizis, DaVinci, Boychi, etc. — Kaspersky Lab named it ‘Morcut’). Nearly all antivirus companies suspected that the program was developed by HackingTeam, which sells specialized tracking software to law enforcement agencies in a number of countries.


The fact that the functions are similar is just one of three circumstantial pieces of evidence linking HackingTeam to the files that were analyzed. Let’s take a look at the other two.

The data overhead in the Mac file contained the names of files and modules that the authors used when writing the program code. These names were also seen several times with “RCS”, which coincides with the abbreviation of the Remote Control System name (this abbreviation is used by HackingTeam in its promotional materials and its own description of the program on their website).

P/s:- This article is an excerpt from Securelist http://www.securelist.com form Kaspersky Lab. Hope you all enjoy reading it…!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: