Hacking Team rides again with updated spyware

Security researchers believe the infamous provider of malware for law enforcement agencies and repressive regimes, Italian company Hacking Team, is back in business.

In a blog post titled The Italian morons are back! What are they up to this time?, Pedro Vilaça analysed a sample of what appears to be a variant of Hacking Teams Remote Control System (RCS), provided to him by security vendor Palo Alto Networks.

Hacking Team was comprehensively compromised in July last year, with some 400 gigabytes of the company's documents, source code and other files posted on the internet.

The leak also contained lists of existing and prospective customers, with Australian agencies outed as being interested in the company's tools.

Although Hacking Team vowed to return in September 2015, little has been heard of the business since.

However, Vilaça dated his sample of the RCS to mid October last year.

"Never before [have we] had such a fresh sample. And if this date is really true we have a post hack sample, meaning that HackingTeam are still alive and kicking post July hack," Vilaça wrote.

A control and command server for the RCS program was running on hosting provider Linode in the UK, but Vilaça said the node went down quickly.

Disassembly of the RCS sample showed it was compiled from the leaked source code. Vilaça said he couldn't initially see many new improvements.

He later said unique code was found in the dropper that deposits the RCS implant, indicating that either someone else was maintaining or updating the source, or that Hacking Team itself compiled it.

Another researcher, Patrick Wardle of Objective-See, confirmed the RCS dropper contaied new features such as being scrambled with Apple's OS X native encryption scheme.