Back on Mac: Hacking Team’s new OS X exploit examined

Securelist issued a quick heads-up on what they called new ‘implants’ for OS X. It looks as though the notorious Hacking Team is back in business.

Securelist issued a quick heads-up on what they called new ‘implants’ for OS X. It looks as though the notorious Hacking Team is back in business.

‘Missed me?’

Hacking Team is a Milan-based IT company that sells “offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations”. In 2015 it suffered a tremendous security breach: over 400 gigabytes of data, including alleged internal e-mails, invoices, and source code were leaked via BitTorrent and Mega. Some exploits previously owned by Hacking Team immediately made its way into the hands of APT actors. On the tracks of this breach cybersecurity vendors also made some peculiar discoveries such as a 0-day exploit for Silverlight platform, which Hacking Team bought from a third party.

Of course, for Hacking Team this leak seemed disastrous, to the point where some other entity would immediately call it quits. However, it looks like it’s not the case here.


Securelist’s author Dmitry Bestuzhev has previously defined “mobile implants” as a strain of spying software “smuggled” into mobile devices so attackers can access the data stored within, as well as eavesdrop on all communications. Hacking Team produced them for a number of mobile platform – effectively all of those in use now, including less popular Blackberry and Windows Mobile. These implants vary in their capabilities, but all of them are quite dangerous.

So is the new one.

Specifically crafted

Hacking Team builds its implants on-demand for each specific target, so the functionality may provide some information on who is the target. Not always, though.

Several things are known about this latest implant.

  • It takes screenshots.
  • It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file. It won’t send data via cellular network.
  • It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
  • It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
  • It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
  • It also spies on the geolocation of the victim.

Apparently this implant is a part of an espionage operation which started on October 16, 2015. Securelist says the attacker was not interested in any emails sent to or from the target before that date but only from then on. Noteworthy: The attack is targeted at laptops mainly, but it still intercepts iPhone communications too.

Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d. Other technical details are available here.

Mac OS X, as well as iOS, certainly have elite status for a number of reasons, including high price and, in fact, the good job with cybersecurity that Apple is doing. But regardless, OS X has its number of vulnerabilities, discovered and exploited by the interested parties, while the users often think Macs and iPhones don’t need any extra security. This story again shows that extra measures are necessary, especially when laptops and mobile devices are used for sensitive information exchange.