Hacking Team back in business: ESET discovers new spyware samples from the company

    Since its founding in 2003, the Italian cyber espionage software developer Hacking Team has gained notoriety by selling its products to governments and intelligence agencies around the world. The company's flagship capabilities - Remote Control System (RCS) - include extracting files from the target device, intercepting letters and messages, as well as remote control of the webcam and microphone.

    ESET discovered previously unknown RCS samples in 14 countries. The analysis of new samples allows us to conclude that the development of these software tools is continued by the Hacking Team itself.

    From Hacking Team to Hacked Team

    The Hacking Team has been repeatedly criticized for selling spyware to authoritarian regimes , but has always denied these allegations. The situation changed in July 2015, when the company became a victim of hacking and the facts of the use of RCS by dictatorships were confirmed . After a leak of 400 GB of data, including a list of customers, correspondence between employees and the source code of spyware, the Hacking Team was forced to ask customers to suspend the use of RCS and was in a state of uncertainty.

    After the hack, the IB community closely monitored the company's attempts to get on its feet. Hacking Team's first news of operations appeared six months later - a new sampleThe spyware program for Mac appears to have been used in practice. A year after the leak, Tablem Limited invested in the Hacking Team, which received a 20% stake in the developer. Tablem Limited is officially registered in Cyprus, but there are indications of its connection with Saudi Arabia .

    After completing another spyware research, FinFisher , we noted two interesting events related to the Hacking Team: a report on the financial recovery of the group and the opening of a new version of RCS with a valid digital certificate.

    RCS: life goes on

    In the early stages of the study, our Citizen Lab colleagues , who have long been monitoring the activities of the Hacking Team, provided us with valuable material that allowed us to discover a new version of spyware. Malvar is currently used in practice and has a new digital certificate.

    Further research revealed several more samples of the Hacking Team programs created after the 2015 hack, all of which are slightly modified in comparison with the tools released before the source code leak.

    Samples were compiled from September 2015 to October 2017. We consider the compilation dates to be reliable, since ESET telemetry recorded the practical use of the samples several weeks after compilation.

    Further analysis allowed us to conclude that the origin of all the samples is reduced to one cyber group; these are not isolated versions of different developers using the Hacking Team source code merged into the Internet.

    One of the arguments in favor of this point of view is the sequence of digital certificates with which the samples are signed. We found six different certificates issued one after the other. Four of them are issued by the Thawte certification authority to four different companies, two are personal certificates in the name of Valeriano Bedeschi (co-founder of Hacking Team) and a certain Rafael Karnasina, as shown below:

    The samples also contain fake manifest metadata to mask under legitimate Advanced SystemCare 9 software (9.3.3 .0.1121), Toolwiz Care and SlimDrivers (

    Our analysis shows that the sample author (s) used VMProtect, apparently trying to make the samples less prone to detection. The method was used in Hacking Team programs before the leak.

    By itself, the connection between these samples can indicate almost any cybergroup that has modified the Hacking Team merged source code or installer - as it was with the Callisto group in early 2016. However, we have gathered other evidence that allows us to link the new samples with the developers of the Hacking Team.

    The versioning in the new samples, which we got access to after overcoming the VMProtect protection, begins before the leak, continues after it and follows the same patterns. It is typical for company developers to compile the functional part of the malware (under the names Scout and Soldier) sequentially and often on the same day - this can also be observed in new samples.

    The table below shows the compilation dates, versions and certificates of the Hacking Team Windows spyware samples released from 2014 to 2017. The reuse of the merged source code by the Callisto group is highlighted in red:

    In addition, our research confirmed that the changes made after the leak were made in accordance with the Hacking Team’s own programming style and are often found in places that indicate a deep understanding of the code. It is unlikely that a non-Hacking Team developer creating new versions based on merged source code could make changes to these fragments.

    One of the differences between the samples before and after the leak is the autorun file size. Before the leak, a copied file of about 4 MB was used. After the leak, the size was 6 MB - perhaps as a primitive method of protection against detection.

    We found some other differences that completely convinced us of the Hacking Team. However, the disclosure of these data may interfere with further monitoring of group activity, therefore we cannot publish them. Ready to share information with other researchers, the request can be sent to threatintel@eset.com.

    The functionality of spyware is largely consistent with what was in the merged source code. Our analysis so far has not confirmed the release of any significant update that the Hacking Team promised after the hack.

    At least two samples studied were distributed using phishing emails. The malicious executable was disguised as a PDF using the double file extension. The names of the bait documents are probably targeted at potential victims from diplomatic missions.


    Our research suggests that RCS spyware samples, in addition to one exception, are the result of the Hacking Team’s work, and not code reuse like in a case with the Callisto group in 2016.

    At the time of this writing, our telemetry systems are detecting new samples of Hacking Team spyware in 14 countries. We prefer not to name the countries in order to prevent incorrect attribution, since the geolocation of detections may not always give information about the source of the attack.

    Compromise indicators

    Product Detection ESET
    Trojan.Win32 / CrisisHT.F
    Trojan.Win32 / CrisisHT.E
    / CrisisHT.L
    Trojan.Win32 / CrisisHT.J
    Trojan.Win32 / Agent.ZMW
    Trojan.Win32 / Agent .ZMX
    Trojan.Win32 / Agent.ZMY
    Trojan.Win32 / Agent.ZMZ

    Samples signed by Ziber Ltd
    Thumbprint: 14 56 d8 a0 0d 8b e9 63 e2 22 4d 84 5b 12 e5 08 4e a0 b7 07
    Serial Number: 5e 15 20 5f 18 April 42 cc 6c 3c 0f 03 a3 3d 9f e1


    C & Cs

    Samples signed Audit ADD
    Thumbprint: 19 3e ad 4d c1 16 03 37 53 26 36 c3 7c a4 c5 97 64 6f bc c8
    Serial Number: 4c 8e 3b 16 13 f7 35 42 f7 10 6f 27 20 94 eb 23


    C & Cs

    Samples signed Lid Media
    Thumbprint: 17 f3 b5 e1 aa 0b 95 21 a8 9b 1c 94 69 25 32 a2 b2 e1 f5 f2
    Serial Number: e2 2c bd 0a d3 cf de 9e a7 3e ec 7c a3 04 00 da



    C & Cs

    Samples signed by Megabit, OOO
    Thumbprint: 6d e3 a1 9d 00 1f 02 24 c1 c3 8b de fa 74 6f f2 3a aa 43 75
    Serial Number: 0f bc 30 db 12 7a 53 6c 34 d7 a0 fa 81 b4 81 93


    C & Cs

    Samples signed Rafael Karnasina
    Thumbprint: 8a 85 4f 99 2a 5f 20 53 07 f8 2d 45 93 89 af da 86 de 6c 41
    Serial Number: 08 44 8b d6 ee 91 05 ae 31 22 8e a5 fe 49 6f 63


    C & Cs

    Samples signed Valeriano Bedeshi
    Thumbprint: 44 a0 f7 f5 39 fc 0c 8b f6 7b cd b7 db 44 e4 f1 4c 68 80 d0
    Serial Number: 02 f1 75 66 ef 56 8d c0 6c 9a 37 9e a2 f4 fa ea


    C & Cs
    172.16 .1.206 is the internal address found in the samples

    Also popular now: