Over the past weeks, security researchers have been analyzing a new malware sample. According to their report, this malware has been targeting Mac OS X, which turns out to be the work of the well-known HackingTeam company.
HackingTeam is a controversial and despised Italian company which sells surveillance software (legal term for malware) to governments around the world.
A couple of weeks ago, the security expert Claud Xiao, discovered a series of malicious Mac binaries, which he thought to be very suspicious.
Xiao shared these binaries with the Infosec community, and they ended up in the hands of the OS X security specialists Pedro Vilaca and Patrick Wardle, who analyzed their capabilities much deeper.
Both security researchers came to one and the same conclusion: the malicious binaries contain new or modified malware, which probably is using the same techniques and mode of operation as previous malware which was uncovered via the HackingTeam data breach from last summer.
Pedro Vilaca and Patrick Wardle are not 100% sure that the HackingTeam is “officially” behind this new malware, though the information they have shared, seems to be rather reliable.
Regarding the malware itself, both security experts said that this new variant is only a dropper, and not anything complex at all.
Droppers are a class of computer viruses which have two functions. First, they must be able to infect computers and maintain a foothold. After that, they must be able to talk to a C&C server and download a specific piece of malware variant, based on the details of an infected system.
The security experts noted that, at the time of their analysis, antivirus engines in Google’s VirusTotal service weren’t flagging it as malicious.
In addition, they reported that, compared to other HackingTeam Mac malware, the new-found binaries used Apple’s built-in OS X encryption scheme, as well as a custom binary packing system.