Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well. Since HackingTeam implants are built on-demand for each target, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.
Encryption key
The main Backdoor component receives its payload instructions from an encrypted Json configuration file. In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.
By following this code we were able to find the new key used to encrypt the configuration file.
As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key. By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:
What does the implant do?
- It takes screenshots
- It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
- It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
- It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
- It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
Among other functionalities it also spies on the geolocation of the victim.
It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015. This indicates that this is a fresh HackingTeam Backdoor implant.
For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on.
Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d
Reference samples hashes:
0eb73f2225886fd5624815cd5d523d08
e2b81bed4472087dca00bee18acbce04
Command and control servers:
212[.]71[.]254[.]212
The return of HackingTeam with new implants for OS X
Rafael Lopes
Well done, nice report.
Carlo Di Dato
Hi guys, great article but pay attention, it seems that the host you hide in this image
https://cdn.securelist.com/files/2016/03/hacking_team_en_3.png
is visible in this other image
https://cdn.securelist.com/files/2016/03/hacking_team_en_3.png
Regards
Carlo Di Dato
Ops… wrond address. Here is hidden
https://cdn.securelist.com/files/2016/03/hacking_team_en_4.png
here is visible
https://cdn.securelist.com/files/2016/03/hacking_team_en_3.png
Sorry
Securelist
Fixed, thanks.
Ankan Roy
Nice One!!