14 DAY TRIAL // For the past few weeks, security researchers from Palo Alto Networks, SentinelOne, and Synack have been analyzing a new malware sample targeting Mac OS X, which appears to be the work of the infamous HackingTeam.
The HackingTeam is a controversial and despised Italian company that sells surveillance software (legal term for malware) to governments around the world.
A few weeks back, Claud Xiao, security researcher from Palo Alto discovered a series of malicious Mac binaries, which he thought to be extremely suspicious.
After sharing these binaries with the infosec community, these ended up in the hands of some OS X security specialists, like SentinelOne's Pedro Vilaca and Synack's director of R&D Patrick Wardle, who took a longer, closer look at their capabilities.
They both reached the same conclusion: these malicious binaries contain new (or modified) malware that seems to be using the same techniques and mode of operation as previous malware that was uncovered via the HackingTeam data breach from last summer.
The two security researchers are not 100% sure that the HackingTeam is "officially" behind this new malware, but we're going to need another data breach to confirm this information anyway.
The malicious binaries are simple malware droppers
As for the malware itself, both researchers said that this new variant is only a dropper, and not anything complex.
Droppers are a class of computer viruses that have two functions. They must be able to infect computers and maintain a foothold, and then they must be able to talk to a C&C server and download a specific piece of malware variant, based on the details of an infected system.
The researchers both noted that, at the time of their analysis, antivirus engines in Google's VirusTotal service weren't flagging it as malicious.
They also noted that, compared to other HackingTeam Mac malware, these new binaries used Apple's built-in OS X encryption scheme and a custom binary packing system.