New OS X spyware on the loose: Italy's Hacking Team is at it again

Italian backdoor 2

Mac security firm Intego has turned up a new version of the Remote Control System (RCS) Da Vinci rootkit, a pricey piece of dodgy spyware lawful intercept software sold to governments across the world by Italian security coders Hacking Team.

If Hacking Team's handiwork sounds benign, Intego has given it the new and rather alarming-sounding name, 'OSX/Crisis.B. The backdoor was first detected as 'Crisis' (officially called 'Da Vinci' by its makers) in the summer of 2012 when it was spotted targeting Moroccan journalists sympathetic to the Arab Spring.

Beyond the fact it targets Mac and Windows users and is littered with obviously Italian references (the dropper filename is named biglietta visita or 'business card'), Crisis.B is currently hard to detect. The 47 antivirus engines it was tested against on VirusTotal returned a result of zero detections, Intego said.

This isn't surprising. Crisis/Da Vinci goes out of its way to avoid detection using the MPress runtime packer, a technique for compressing the programme to make it harder for antivirus software to detect. This is far from foolproof; Intego's researchers figured out which packer had been used and ran scripts to unjumble the programme.

The payload victims of Crisis/Da Vinci will find themselves on the receiving end of is not a mystery either; Milan-based Hacking Team has openly described the programme's design as being to capture emails, passwords, IM sessions including Skype, web browsing, files and control the webcam.

Needless to say, Hacking Team's Da Vinci is controversial despite its designation as legal dual-use software used legitimately to monitor police and intelligence service targets. Another and better known example of the same type of programme would be Gamma International's FinFisher that was earlier this year discovered to have infected PCs across the world.

"Here in HackingTeam we believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities. Technology must empower, not hinder," the firm's website states, cheerily.

Security firms treat FinFisher and Da Vinci in the same way they treat any programme that executes as spyware and attempt to block it.

What is known is that Da Vinci is expensive, very expensive. In an interview last month, the firm claimed that customised versions sold for "hundreds of thousands of dollars." Many governments are said to have paid up, lured by its surveilance promise.

"Should you feel concerned by government targeted attacks, or recently received a 200k business card, then look for those [named] files in your Home folder and your Startup Disk," said Intego researcher, Peter James. Mac users be warned.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityIntego

More about IntegoSkypeTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place