Malware + Recommended + Security News

Hacked Spyware Company Seems to Have Released More Mac Malware

Posted on by


Hacking Team, an Italian company which specialises in helping governments and intelligence agencies spy on their citizens, didn’t have the best year in 2015.

It suffered an embarrassing hack, which saw its source code and entire email archive leaked online along with zero-day vulnerabilities it had been keeping up its sleeve (to sell to intelligence agencies prepared to stump up enough cash) released into the wild.

Some predicted that the future didn’t look too bright for Hacking Team, as it was forced to tell its government customers to stop using its spyware until it had restored some semblance of control over its network.

But now, over six months on, is it business as usual?

As security researcher Pedro Vilaça describes (in a post unflatteringly titled “The Italian morons are back! What are they up to this time?”), a fresh new version of Hacking Team’s RCS (Remote Control System) spyware has been uncovered.

As Mac security researcher Patrick Wardle describes, this sample of the malware is unusual insomuch as it uses a variety of techniques to avoid detection and analysis, being obfuscated with different encryption methods.

Intego’s own research team, however, say that the malware does not pose significant challenges for them.

Intego VirusBarrier will detect the malware as OSX/Crisis (a name shared with the Crisis malware family, based upon Hacking Team’s code). Some other anti-virus vendors are referring to the malware as “OSX/Morcut.”

Hacking Team

Whether it really is the work of Hacking Team, rising phoenix-like from the flames of its own ironic hacking disaster, is hard to confirm — as it might equally be possible that a third-party is using Hacking Team’s code to create their own malware. However, the smart money is pointing once again to the Italian firm.

The good news is that unless you are using a computer which is of interest to a government or intelligence agency, chances are that you will not have much to fear from this particular strain of Mac malware.

According to Mac Observer even if you aren’t running an anti-virus program on your Apple computer or laptop (shame on you if that’s the case), there is a simple way to tell if you might be infected with this particular malware:

Odds are your Mac hasn’t been hit with this new—and mostly meh—malware, but if you want to double check, look in ~/Library/Preferences/8pHbqThW/ for the file Bs-V7qIU.cYL.

Regardless, it always makes sense to keep your Mac anti-virus defences up to date, and follow best practices to reduce the chances of a security breach.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →