Researchers at Rook Security have released a new tool that looks for HackingTeam malware on target systems, and also have published a set of indicators of compromise to help organizations look for signs of an infection from the intrusion software.
The HackingTeam Remote Control System is the company’s flagship surveillance and intrusion platform. It sold the system to government agencies and law enforcement customers, but part of the fallout from the breach earlier this month was the exposure of HackingTeam’s customers’ names, some of which are associated with oppressive regimes. In the weeks since the attack on HackingTeam, experts have set about looking for ways to find the company’s malware tools on potentially compromised systems.
The tool that the researchers from Rook, a security company based in Indianapolis, is called Milano and is designed to automate the process of finding the HackingTeam malware. Milano is a free tool and has two separate modes: quick scan and deep scan. The tool looks for hashes of known HackingTeam files and Rook officials said a quick scan can run in a few seconds, while a deep scan can take up to an hour depending upon the system.
Rook has been working with the FBI’s Cyber Task Force in Indianapolis to analyze the HackingTeam tools and exploits, as well.
“This breach has been very unique in nature and challenging for security technology vendors to obtain code samples to create signatures and patches, thereby leaving scores of systems potentially vulnerable to nefarious actors seeking to weaponize Hacking Team’s once proprietary tools,” said J.J. Thompson, CEO of Rook. “After our Intelligence Team quickly deduced how the leaked code could be weaponized and used for harm, we immediately put a team in place to identify, analyze, and detect malicious files located in this data.”
Meanwhile, Facebook has released an update for its Oquery tool that, among other things, can find the OS X backdoor used by the HackingTeam software.
“Attackers continue to develop and deploy Mac OS X backdoors. We’ve seen this with Flashback, IceFog, Careto, Adwind/Unrecom, and most recently, HackingTeam. The OS X-attacks pack has queries that identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, it means a host in your Mac fleet is compromised with malware. This pack is high signal and should result in close to zero false positives,” Javier Marcos de Prado of Facebook said in a blog post.
Researchers around the world have been analyzing the HackingTeam platform, tools, and exploits since the company was breached two weeks ago. In addition to emails and documents, much of the source code for the RCS platform was posted online, and some researchers have been able to get it up and running on their own systems. Company executives have said that they are in the process of building an entirely new version of RCS, to be released at an unspecified date.
“This is a total replacement for the existing ‘Galileo’ system, not simply an update,” HackingTeam COO David Vincenzetti said. “Of course, it will include new elements to protect systems and data considering the impact of the attack against HackingTeam.”
Tom Gorup, security operations manager at Rook, said the Milano tool will continue to evolve as more information is discovered.
“Right now there’s about ninety files that it looks for, but that will go up as we go along,” Gorup said.