Last week, Patrick Wardle published a nice analysis of a new Backdoor and Dropper used by HackingTeam, which is apparently alive and well.
Since HackingTeam implants are built on-demand for each target, we wanted to take a closer look: to see how it works and what its functionality reveals about the possible interest of the attackers behind this latest Backdoor.
The main Backdoor component receives its payload instructions from an encrypted Json configuration file.
In order to decrypt the configuration file, we began by using known keys, but none of them were able to decrypt the file. Upon checking the binary file we were able to identify that the function used to encode the file is still AES 128, so we started to look for a new encryption key. We located the initialization of the encryption routine, where the key is passed as an argument.
By following this code we were able to find the new key used to encrypt the configuration file.
As you can see, the key is 32 bytes long, so just the first 16 bytes are used as the key.
By using this key on our script we successfully decrypted the configuration file, which turns out to be a Json format file carrying instructions on how that particular Backdoor needs to operate on the target’s OS X machine:
What does the implant do?
It takes screenshots
It synchronizes with or reports stolen information to a Linode server located in the UK, but only when connected to Wi-Fi and using a specific Internet channel bandwidth defined by the Json configuration file:
It steals information on locally-installed applications, address book entries, calendar events and calls. OS X allows iPhone users to make such calls straight from the desktop when both are connected to the same Wi-Fi network and trusted.
It spies on the victim by enabling frontal camera video recording, audio recording using the embedded microphone, sniffing local chats and stealing data from the clipboard.
It also steals emails, SMS and MMS messages from the victim, which are also available on the OS X desktop when an iPhone is paired.
Among other functionalities it also spies on the geolocation of the victim.
It’s interesting to note that the Json file says that the start date of the operation is October 16 (Friday), 2015.
This indicates that this is a fresh HackingTeam Backdoor implant.
For some reason the attacker was not interested in any emails sent to or from the target before that date but only from then on.
Kaspersky Lab detects the above-mentioned Backdoor implants as Backdoor.OSX.Morcut.u and its dropper as Trojan-Dropper.OSX.Morcut.d
Reference samples hashes:
Command and control servers: