 Thank you. Hello everybody You know when companies get hacked they tend to recover But what happens when your company gets hacked and all your products become unusable? That's the hacking thing case. So let's take a look the company was founded in 2003 and in the beginning They were focusing on cyber defense doing various pen tests later. They shift it to cyber offense They were developing spyware and selling it exclusively to governments and their agencies Security community didn't know which spyware in the wild They are developing until 2012 when researchers from doctor rep Attributed the spyware in the wild to the company hacking team Later citizen lab Revealed that company sells their products to oppressive regimes Which are misusing these products this spyware against political dissidents Journalists and other similar people as we can see here It is not that unusual for offensive companies to sell products to oppressive regimes This political dissident was targeted also by Finfisher and NSO group, which are competitors to hacking team Ironically later the company hacking team gets hacked and all their data From the company leaked public Sorry The leak includes the spyware the source code Their customers price list documentation basically everything There was also five zero-day exploits which they had before the leak It also revealed how they had been buying these zero days from company who pen and other independent vulnerability researchers It also revealed that they had a product network injector for doing various men in the middle attacks and Also, of course the hack includes the spyware They had a flagship product called a remote control system or also Galileo and They had spyware for desktop also for mobile phones and also they had ufi rootkit According to leaked documentation this ufi rootkit required a physical access to the computer in order to be installed Here we can see an order for one customer This customer ordered 50 desktop agents. For example, he ordered Spyware for Windows. He didn't order spyware for Symbian and he also bought Access to exploit portal So as we can see it is a service as every other their customers can buy Whatever they want to buy and how much they want to buy Later as it came as a no surprise that when source code leaked public some other cyber criminals Started to reuse the leaked source code and the leaked spyware This was the case with Kalisto group Which was revealed by f secure and maybe also the case with modified hacking team spyware sample for Mac OS X And now it starts to be interesting Mysterious investor appeared hacking team received Fundings and according to motherboard this mysterious investor has some ties to Saudi government That's why we started the research in the beginning We exchanged some technical information with citizen lab They shared us samples used before and we together discovered new modified hacking team sample Being used in the wild What do we know about the spider the spider using the wild has these names? The first two names were used to target high profiles and the first name was used to target two Ambassadors in an African country the spyware has two stages the first stage the scout It is a very basic spyware. It is designed only to download the second stage Just collect some basic information from the computer and download the second stage The second stage is according to their the hacking team naming convention Is called soldier or elite the elite is the premium version of the spyware the advanced version of the spyware and It depends whether the customer bought the elite or not so he can use it or not Yeah, and all samples are packed with VM protect the first stage scout As I said, it is a very basic spyware. It just steals the basic information like installed applications and so on from the computer and Then it downloads the second stage where the actual payload is So this soldier It steals a lot of information How is it designed? It collects data from computer backs them and creeps them and saves into the windows registry Then there is another threat which is watching the registry and if there are some new data in the registry it uploads the data to CNC server Another threat is responsible for checking whether there is no new version of the spyware available or also whether the malware operator didn't change the configuration of the spyware and Yeah, the lead though this new modified hacking team spyware sample has improved architecture and in general The architecture of spyware and the implementation is very good meaning They have very good Memory handling and error message like error checking and so on Let's take a look at the actual payload Here we can see a code responsible for stealing clipboard data here It steals clipboard with basic data like actual time Process name windows title and so on here it packs and encrypts this data and quiz the lock And as we can see the code is pretty robust, you know Stealing clipboard data can be achieved by just one windows API function So all this code is responsible for For doing this so it's quite complicated spyware another functionality is that they can steal various data from Mails and from social networks. They have support they have support for Facebook and Twitter they are extracting messages contacts and photos and if there is available a location of the photo on Facebook They can also extract this location There are stealing emails and contacts from Gmail and and Twitter and they can also steal files from Google Drive Some other functionality is I would say self-explanatory So I will continue with geolocation. They are collecting Wi-Fi networks available around and based on it they try to determine location of the victim then they Some other interesting functionality. They can steal various data from popular web browsers They are stealing save data preferences history And something else I would say yeah bookmarks from popular web browsers and very interestingly they can also change configuration in Tor browser It means that the attacker can track the victim very well And what's worse that after removing the spyware from the computer the changed configuration in inter browser remains of course What is new? is support for monitoring Skype calls key logging and Monitoring mouse. They are doing screenshots when you click on mouse button And what is completely new what was actually these three things which I just mentioned They moved from the premium version from elite to the soldier and all this completely new what wasn't in the league is Scheduling uninstallation it means that malware operator can choose at what time it will Uninstall from the system and the whole operation will terminate This is the configuration file of the soldier. So once the customer buys The agent they can choose What configuration they want to use? For example, this one has for example Enabled screenshots and they are doing it every 120 seconds So as we can see the spider is in active development The question is who is developing the spider? Is it some random cyber criminals like Kalisto group for example or are we looking at the rise of the phoenix? Would it be a surprise that company wanted to recover from the heck and went back to a luxury business Let's focus on details The spyware had the modified hacking team spyware had digital certificate That is not so unusual for malware But this one was issued by tauta and tauta is verifying the entities They issued this certificate to a London company cyber LTD It means that UK company signed the modified hacking team spyware We collected more spyware samples post leak samples and All of them were signed. I just mentioned cyber LTD before there were some free Moscow companies Again, the certificate was issued by tauta. So there are real Russian companies Before there was some software developer Rafael Carnacina and before Modified hacking team spyware was signed by Valeriano Bedeshi Valeriano Bedeshi is co-founder of hacking team. The spyware has Versions inside Before the leak we can see here the versions. They were pushing updates every few months of the spyware And they were also signing the spyware with these certificates here we can see leak and This in red is Reusing the leaked spyware the version 14. It was by Callisto group version 14. That's the same spyware. What was in the leak? As we can see after the leak the modified hacking team spyware samples have new versions and the versioning like Improving the versions pushing new updates is very in a very smooth development. It's It is increasing the same way as before the leak Also digital certificates. That's something Some other thing which is very typical for hacking team developers Before the leak they had been using malware descriptions They were copying these descriptions for from a legitimate applications and putting it into the hacking team spyware The modified hacking team spyware used in the wild right now has also Some description From a legitimate application So digital certificates smooth versioning Malware Was also packed with VM protect that is something what Was like these developers It looks like these developers are deeply familiar with hacking team spyware development habits Before the leak the spyware when it was installed into the system It increased its size by random data to four megabytes After the leak they increased these sites to six megabytes How they were increasing it before the leak they had been generating random numbers by Get the count function and run function after the leak they edit Crypt gen random Windows API function and only if it fails they will use the previous function for generating random numbers This is another evidence that these developers are orienting very well in the code Before the leak they had been using Replacement for Windows API sleep function as we can see here Sometimes they had been using sleep sometimes these two Windows API functions, which together acted as sleep After the leak this modified hacking team samples are using three Windows API functions Which is again a replacement for a sleep function Again, this is something what random malware developers wouldn't bother when reusing the leaked source code when they detected when the spyware detected Sandbox that it is running in the sandbox they it is resetting the critical parts of the memory and Then it connects to a legitimate domain before the leak. They were connecting to Skype domain After the leaked and they changed this domain to CNN This is a screenshot of the leaked source code and we can see here that they were using strings when they again when they detect a sandbox and They had a strings history. This was used in RCS remote control system version 9.0. I'm not sure 9.4 Yeah, then again, then they changed this to them In 9.5 version to these strings. This was the most recent strings before the leak in 9.6 version again After the leak the modified hacking team samples have these strings changed This is another screenshot of leaked source code. We can see here That they were they had been regularly changing Strings user agent strings this was used in I don't know RCS for of a 9.3 version They had been regularly changing the strings with various versions of remote control system again after the leak This user agent is changed Again another screenshot of leaked source code They were generating Some batch file for uninstallation before the leak The batch file had names like random numbers dot BAT This was before this was in most recent version in the leak and again after the leak this batch file has Changed name So putting it all together Improving the architecture of the code masquerading with digital certificates and descriptions of the applications packing with VM protect and doing changing changes like batch file names This is not something with a random malware opera or random malware developers Like cyber criminals would bother with they would add some functionality into the spider not changing these parts of the code These changes are a typical procedure for hacking team developers All these convinced us this that hacking team Developers are back in the business. We don't know whether they sell the spider as Hacking team company or some other company, but it's not so important. The same guys are developing the spider It is big and still evolving business. We can see more and more Companies joining the joining this offensive business and also we can see more and more Countries which are interested in these solutions Thank you very much for your attention