Undetected Mac malware sighted online: HackingTeam has returned?

Researchers have uncovered a malicious tool that appears to be a newly developed Mac malware from HackingTeam, the first since the hack of last July that leaked gigabytes of the group’s private e-mail and source code.

The sample was uploaded on February 4 to the Google-owned VirusTotal scanning service, which at the time showed it wasn’t detected by any of the major antivirus programs.


Some technical information


A technical analysis published Monday morning by SentinelOne showed that the installer was last updated in October or November, and an embedded encryption key is dated October 16, three months after the HackingTeam compromise:

Last Friday a new OS X RCS sample was sent to me (big thanks to @claud_xiao from Palo Alto Networks for the original discovery, and as usual to @noarfromspace for forwarding it to me). My expectations weren’t big since all the public samples were rather old and know we had their source code so if it were an old sample it was totally uninteresting to analyse. But contrary to my expectations there are some interesting details on this sample. So let’s start once more our reverse engineering journey…

How i check if my computer has been infected?


Another very good technical analysis was published by Patrick Wardle, that has examined the malware and says that it appears to install a new version of the old Hacking Team implant and it uses several advanced tricks to evade detection and analysis.

Wardle suggest also a fast method to check if your system has been infected:

To check if you are infected, simply look for the following directory: ~/Library/Preferences/8pHbqThW/ containing _9g4cBUb.psr and/or Bs-V7qIU.cYL.

To disinfect yourself, delete that entire directory, and remove the ~/Library/LaunchAgents/com.apple.FinderExtAvt.plist file. Of course if you really are infected - throw out your computer and get a new one!