Malware-Guns For Hire

Malware-Guns For Hire

The Italian team of paid hackers known as “Hacking Team” suffered an embarrassing attack of their internal systems this past weekend.

The attack resulted in a release of approximately 400GB of data ranging from internal documents, contracts, customer records, passwords, phone discussions, source code and software — just to name a bit.

While most people have probably never heard of Hacking Team, or know the type of functions the organization performs, the hacking and subsequent release of their internal information is ironic – if not slightly amusing – considering computer intrusion is the very nature of their business.

Take a look at this promo video for a better idea of their business model:

According to internal documents, the Milan based team specializes in “development of offensive security software solutions” possessing the capability to “attack, screen, gain control of, and monitor personal devices such as PC’s and smartphones.”

HT1

To summarize it more succinctly, the group develops and sells malware for the purpose of exposing information against desired targets.

Internal records indicate that the organization primarily markets the software to Law Enforcement/Government organizations, although invoices ranging from hardware purchases to brochures and promotional pens can be located which identify a number of world-wide organizations not affiliated with such institutions.

The flag-ship product of Hacking Team is the ‘Remote Control  System’ (RCS for short) software, which, in essence, is an infostealer capable of thwarting detection and collecting a swath of personal information from whomever is being surveilled.

Marketing materials boast a wide range of supported Operating Systems and platforms for the RCS software.  All major Operating Systems and platforms are supported:  Windows, OSX, Linux, Android, Blackberry, iOS, Symbian, and Windows Phones.

HT2

RCS is feature-rich with surveillance capabilities and can collect or monitor most components on a personal computer or cell phone.  The software has the ability to exploit systems, execute code, destroy files, and monitor an array of peripherals, applications, and communications. The list below indicates some of the capabilities of RCS.

For those familiar with such software, RCS is basically nothing more than a Remote Access Trojan (RAT).  RATs (also known as ‘backdoors’) have been around for years, and some may even be familiar with names such as Back Orifice 2000, Sub7, and Poison Ivy.

In all reality, features included as part of the RCS suite are not unique, and the actions performed by the software differ little from malware variations that we see each day.

Keylogging, screenshot collection, remote file execution, and monitoring are all common malicious activities which are seen throughout a majority of trojans, backdoors, keyloggers, and bots.

The Hacking Team training material even goes so far as to make multiple references to the fact that the RCS software is a ‘backdoor’.

HT5

The RCS management software is designed to be hidden behind a series of online anonymizers. These anonymizers act as somewhat of a proxy for the communication of the software, thus allowing attackers to mask their location from analysis tools.  Multiple anonymizers can be cascaded together, known as an ‘anonymizer chain’, which causes the traffic to ‘hop’ to multiple destinations prior to arriving at the final destination.

This cascading effect makes analysis efforts that more difficult.  A good analogy of this anonymizer chain would be the scene from the 1992 film ‘Sneakers’ (great movie) where ‘Whistler’ describes his attempts to bounce a telephone call through a variety of relay stations in an endeavor to thwart tracing efforts by the NSA.

 

This diagram outlines the general architecture of the RCS service which shows the RCS Collection Nodes and Management Stations behind an anonymizing network.  Various targets consisting of multiple platforms are shown to reside out on the public internet.

HT6

The attack vector of the RCS software is not that dissimilar to other malware distributors.  The Hacking Team methodology relies on a combination of ‘Injection Technology’, 0-Day / 1-Day exploits, offline hardware installations (USB, CD-ROM), and social engineering to facilitate the delivery of malicious payloads.

‘Injection Technology’ refers to the RCS Injection Proxy Appliance (RCS IPA), which is described as an “offensive security device developed to perform remote installation of Remote Control System (RCS)”, and to facilitate the monitoring of all HTTP connections.  ‘By using man-in-the-middle attack techniques’, RCS IPA can be configured to deploy code or executables to specified IP ranges or users.

HT7

Remote Mobile Installation (RMI) is another form of injection technology geared towards mobile devices.  RMI is designed to install the RCS backdoor to mobile devices without the use of any exploits.

The software does this by taking advantage of wap-push messaging, which is a standard feature of all GSM devices.  To summarize the attack, a specially-crafted wap-push message is sent to the device which automatically causes the browser to open.

The message is coded to open a customized URL which attempts to automatically install the backdoor onto the phone.

By default, Windows phones and Blackberry ask for user confirmation prior to this action.  As indicated by the FAQ, the worst case scenario is that the user will be presented with a dialogue box, thus requiring social engineering in order to deceive the user.

HT8

Knowledge Base articles include useful information for customers in their attempts at social engineering.  Several ‘best practice’ documents reveal suggestions on ‘jailbreaking’ iPhones and Android devices, as well as other useful techniques such as SMS spoofing. The process of social engineering is also important enough to list as one of the 3 components to success.

HT9
HT10

Most interestingly, the organization claims to possess a selection of previously undisclosed vulnerabilities on both mobile and PC platforms to widely used applications such as browsers and Office products to assist customers in the successful delivery of the RCS software.

Hacking Team maintains a repository of 0-day and 1-day exploits available for use, and claims to write exploits for vulnerabilities which exist, despite the fact that no proof of concept has been publicly released.

The RCS console allows customers to quickly choose the desired exploit and generate a URL suitable for the intended target.  Marketing materials claim that the exploit portal will always contain at least three 0-day exploits.

HT11
HT12

The group further ensures success with routine analysis of the RCS program against popular Antivirus programs.  Knowledge base articles reveal strong efforts to test the installation capabilities against a variety of well-known programs.

Without any way of understanding the context of the following data, it appears as though Malwarebytes causes errors with RCS as the note on our Knowledge Base article indicates “Not Tested System positive fails”.

HT13

P.S. – Hacking Team, FYI, MalwareBytes is one word

Documents also reveal that Hacking Team has at least on one occasion solicited the services of a major Antivirus testing organization to aid in the process of determining detection rates of the RCS software.

While the document in question is over a year old, its presence shows a commitment on the organizations part to ensure stealth capabilities remain.

HT14

As the three points of success indicate, infection vector combinations, social engineering, and a bit of good luck is all that’s usually needed to successfully compromise an unsuspecting victim.

And, with Hacking Team’s repository of useful tools, malware samples, exploits, social engineering suggestions, and guidelines, it’s hard not to imagine the organization maintains a fairly high level of success.

The unfortunate disclosure of their internal data indicates that not only does the software work, but that a number of Government institutions around the world have interest in such technology.

While we’re all free to have our own opinions of the validity of such organizations and surveillance tools, the one thing that is for certain is that regardless of the intent of the user, unpatched software vulnerabilities can pose a danger to everyone on the internet.

The claims by Hacking Team that they maintain a collection of unpublished 0-day exploits is concerning.  Despite their best intentions, it seems to be a rarity in life when only few people in the world know details to any given subject matter.

To assume that they are the only ones who know of a particular exploit may be a bit naïve.  It’s not too hard to imagine that if they were able to find the exploit, there are at least a few others out there capable of it as well.

Such vulnerabilities are capable of devouring millions of dollars from individuals and businesses alike, and allowing such vulnerabilities to remain, regardless if for legitimate commercial gain or State-sponsored espionage, poses a risk to us all.

ABOUT THE AUTHOR

Adam McNeil

Senior Malware Intelligence Analyst

Over 10 years of experience busting scams and taking keys. Also known as Kamikaze Joe to his drone pilot friends.