Hackingteam — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/hackingteam/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Feb 2016 07:47:15 +0000HackingTeam RCS Implant Installer Analysishttps://feed.craftedsignal.io/briefs/2016-02-hackingteam-rcs/Fri, 26 Feb 2016 07:47:15 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2016-02-hackingteam-rcs/An implant installer for HackingTeam's RCS implant uses Apple's native OS X encryption scheme and a custom packer to deliver a persistent implant, indicating a potential resurgence of the group and an evolution in their techniques for macOS malware.The Objective-See blog post from February 2016 analyzes an implant installer believed to be associated with HackingTeam’s Remote Control System (RCS) implant. The analysis reveals that this installer employs Apple’s native OS X encryption scheme and a custom packer, a notable shift in tactics. The sample, available on VirusTotal, was initially undetected by AV vendors. This suggests a potential resurgence of HackingTeam and an effort to evade traditional detection methods. The use of encryption and packing highlights the need for advanced analysis techniques and tools to uncover the malicious payload. The installer drops and executes a persistent implant, along with an encrypted configuration file. This activity indicates a sophisticated attempt to maintain long-term access to the compromised system.

Attack Chain

  1. The attacker deploys the encrypted HackingTeam RCS implant installer to the target macOS system.
  2. The installer uses Apple’s native OS X encryption scheme to protect the binary.
  3. The installer decrypts itself using a static Blowfish key.
  4. The decrypted installer unpacks itself from a custom packer.
  5. The unpacked installer drops a persistent implant to ~/Library/Preferences/8pHbqThW/_9g4cBUb.psr.
  6. The installer drops an encrypted data file to ~/Library/Preferences/8pHbqThW/Bs-V7qIU.cYL.
  7. The installer executes the dropped implant using execve.
  8. The persistent implant installs itself as a user Launch Agent with the name com.apple.FinderExtAvt.plist, ensuring persistence upon reboot.

Impact

A successful infection leads to the installation of the HackingTeam RCS implant on the macOS system. This allows the attackers to remotely control the system, potentially exfiltrate sensitive data, monitor user activity, and install additional malicious software. The use of encryption and packing significantly hinders detection and analysis, potentially allowing the implant to remain undetected for an extended period. While the number of victims is not specified, the use of sophisticated techniques suggests targeted attacks against high-value individuals or organizations.

Recommendation

  • Monitor file creation events for the creation of files in ~/Library/Preferences/8pHbqThW/ to detect potential RCS implant activity.
  • Deploy the Sigma rule to detect the creation of the LaunchAgent file associated with the RCS implant.
  • Block the listed IOCs, specifically the SHA256 hashes of the implant installer and persistent implant, at the endpoint to prevent execution.
  • Utilize tools like Objective-See’s BlockBlock and KnockKnock to detect and block persistence attempts and enumerate installed binaries.
]]>highthreathackingteamrcsmalwaremacos