{"id":5249,"date":"2016-03-04T17:56:27","date_gmt":"2016-03-04T17:56:27","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5249"},"modified":"2019-11-15T06:58:46","modified_gmt":"2019-11-15T11:58:46","slug":"back-on-mac-hacking-teams-new-os-x-exploit-examined","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/back-on-mac-hacking-teams-new-os-x-exploit-examined\/5249\/","title":{"rendered":"Back on Mac: Hacking Team&#8217;s new OS X exploit examined"},"content":{"rendered":"<p>Securelist <a href=\"https:\/\/securelist.com\/blog\/research\/74063\/the-return-of-hackingteam-with-new-implants-for-os-x\/\" target=\"_blank\" rel=\"noopener\">issued <\/a>a quick heads-up on what they called new \u2018implants\u2019 for OS X. It looks as though the notorious Hacking Team is back in business.<\/p>\n<p><strong>\u2018Missed me?\u2019<\/strong><\/p>\n<p>Hacking Team is a Milan-based IT company that sells \u201coffensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations\u201d. In 2015 it suffered a tremendous security breach: over 400 gigabytes of data, including alleged internal e-mails, invoices, and source code were leaked via BitTorrent and Mega. Some exploits previously owned by Hacking Team immediately made its way <a href=\"https:\/\/business.kaspersky.com\/darkhotel-hackingteam\/4357\/\" target=\"_blank\" rel=\"noopener nofollow\">into the hands of APT actors<\/a>. On the tracks of this breach cybersecurity vendors also made some peculiar discoveries such as a\u00a0<a href=\"https:\/\/business.kaspersky.com\/read-the-newspapers-or-how-public-information-helps-with-0day-bug-busting\/5028\/\" target=\"_blank\" rel=\"noopener nofollow\">0-day exploit for Silverlight platform<\/a>, which Hacking Team bought from a third party.<\/p>\n<p>Of course, for Hacking Team this leak seemed disastrous, to the point where some other entity would immediately call it quits. However, it looks like it\u2019s not the case here.<\/p>\n<p><strong>Implants<\/strong><\/p>\n<p>Securelist\u2019s author Dmitry Bestuzhev has previously <a href=\"https:\/\/securelist.com\/blog\/research\/73305\/targeted-mobile-implants-in-the-age-of-cyber-espionage\/\" target=\"_blank\" rel=\"noopener\">defined \u201cmobile implants\u201d<\/a> as a strain of spying software \u201csmuggled\u201d into mobile devices so attackers can access the data stored within, as well as eavesdrop on all communications. Hacking Team produced them\u00a0<a href=\"https:\/\/business.kaspersky.com\/mobile-spies\/5065\/\" target=\"_blank\" rel=\"noopener nofollow\">for a number of mobile platform<\/a> \u2013 effectively all of those in use now, including less popular Blackberry and Windows Mobile. These implants vary in their capabilities, but all of them are quite dangerous.<\/p>\n<p>So is the new one.<\/p>\n<p><strong>Specifically crafted<\/strong><\/p>\n<p>Hacking Team builds its implants on-demand for each specific target, so the functionality may provide some information on who is the target. Not always, though.<\/p>\n<p>Several things are known about this latest implant.<\/p>\n<ul>\n<li>It takes screenshots.<\/li>\n<li>It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file. It won\u2019t send data via cellular network.<\/li>\n<li>It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.<\/li>\n<li>It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.<\/li>\n<li>It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.<\/li>\n<li>It also spies on the geolocation of the victim.<\/li>\n<\/ul>\n<p>Apparently this implant is a part of an espionage operation which started on October 16, 2015. Securelist says the attacker was not interested in any emails sent to or from the target before that date but only from then on. Noteworthy: The attack is\u00a0targeted at\u00a0laptops mainly, but it still intercepts iPhone communications too.<\/p>\n<p>Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d. Other technical details are available <a href=\"https:\/\/securelist.com\/blog\/research\/74063\/the-return-of-hackingteam-with-new-implants-for-os-x\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>Mac OS X, as well as iOS, certainly have elite status for a number of reasons, including high price and, in fact, the good\u00a0job with cybersecurity that Apple is doing. But regardless, OS X has its\u00a0number of vulnerabilities, discovered and exploited by the interested parties, while the users often think Macs and iPhones don\u2019t need any extra security. This story again shows that extra measures are necessary, especially when laptops and mobile devices are used for sensitive information exchange.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securelist issued a quick heads-up on what they called new &#8216;implants&#8217; for OS X. It looks as though the notorious Hacking Team is back in business.<\/p>\n","protected":false},"author":209,"featured_media":15323,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[872,2396,1946,2397],"class_list":{"0":"post-5249","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cyberespionage","10":"tag-hacking-team","11":"tag-macos","12":"tag-mobile-implants"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/back-on-mac-hacking-teams-new-os-x-exploit-examined\/5249\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/back-on-mac-hacking-teams-new-os-x-exploit-examined\/5249\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/back-on-mac-hacking-teams-new-os-x-exploit-examined\/5249\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cyberespionage\/","name":"cyberespionage"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5249"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5249\/revisions"}],"predecessor-version":[{"id":30320,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5249\/revisions\/30320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15323"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}