In my last post, I discussed Hacking Team's comeback and how private companies are selling spywares

and malwares to government. This billion dollar industry was revealed principally through Wikileaks (the Spy files and others). I explained that Hacking Team was hacked in 2015 and were recently identified again.

Patrick Wardle is the Director of Research and Development at Synack. To cite the website, Synack "bridges the gap between perceived security and actual security by leveraging hacker-powered exploitation intelligence". Patrick is also the founder of the Objective-See blog, which I cited in my last post. Through this blog, Patrick publishes the tools he uses to secure his MAC computer. He is an expert in his field, having presented his research at prominent conferences regarding cyber-security, among which BlackHat, DefCon, VirusBulletin, ShmooCon & CansecWest.

So Patrick's article regarding the Hacking Team's malware was a little technical, so I contacted him to ask some explanations, and he kindly accepted to answer my questions. Here is the interview :

Why is Hacking Team using Apple Native Encryption? What are the benefits? Does it mean that the software works only on Apple?

Apple's native encryption can complicate analysis of the sample. As the binary is now encrypted, static analysis will not work. Also this will change the hash/signature of the sample, making it unlikely to be detected by AV products. As I mentioned in my blog, this was something I suggested during my BlackHat talk - to improve OS X malware. Other ppl have suggested this too. Somewhat neat to see the malware authors improving their tools.

This piece of software was OS X specific to begin with (even before adding the encryption). Yes, 'Apple's Native Encryption' is apple-specific, so will only work on OS X (Macs).

Hacking Team’s new software is a backdoor. Is it, basically, creating what the FBI is looking for? What’s the link with FBI vs Apple (if any)?

Yes, HackingTeam's software provides backdoor access into a system, plus a ton of surveillance capabilities. However this is 100% different from whats the FBI wants to do (in the iPhone case). The FBI does not want a backdoor, rather simply something they boot into specific phones to disable security features, so they can unlock the phone (and thus access the data). This piece of HackingTeam's malware is OS X (Mac) specific, and designed to live on live (active) systems. The FBI just wants something to help unlock a confiscated phone(s). So there is really 0% link/connection in this scenario.

In the past, it was reported the HackingTeam was a customer of the FBI: http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-2011/ However, again - in terms of the current FBI v. Apple situation, there isn't anything related to HackingTeam.

How good are Hacking Team’s softwares in your opinion? Compared to what’s available to developped countries’s Intelligence agencies for instance? Do they compete? It seems like their security is not so high gien the recent leaks, so we’re wondering about the quality of their products.

HackingTeam's software is decent. It provides a lot of capabilities that we don't see a lot in public OS X malware. On a scale of 0-10 (10 being best, Stuxnext type stuff), I'd give them a 6. I can't speak about advanced nationstate OS X malware/backdoors - but such software is likely wayyy better (which is why we haven't seen any?). However, HackingTeam's OS X implant seems sufficient to provide a decent surveillance capability - perhaps for a country or government that doesn't have the skills to create their own.

Do we know anything about this new software? What can it do?

Actually it doesn't appear that this software is really new. Well, let me caveat it; the installer component appears to be new and uses Apple's encryption scheme, which we've never seen before in public OS X malware. However it installs their known RCS implant (that was leaked before). https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/ covers a lot about this. It looks like a slightly updated version (that can run on newer versions of OS X), but other than that - doesn't seem to have new capabilities.

#HackingTeam #Interview #Apple #AppleNativeEncryption