Cybereason - behind the HackingTeam infection server

© 2015 Cybereason Inc. All rights reserved.
The ]HackingTeam[ incident
Alex Frazer & Amit Serper
with

Amit Serper
• Senior security researcher @ Cybereason
• Malware research
• Researching attack methodologies on Windows, Linux
and OSX (which is garbage)
• Writing ugly yet functional POC code that does evil stuff
and sometimes work
• ~9 Years @ Israeli govt.
• Security Research 
• Musician, Drummer @ Long day
(facebook.com/longdayofficial)
• Contact: amit@cybereason.com, @0xamit

• Security researcher @ Cybereason
• Malware simulation development
• Advanced windows security research
• Metasploit development/customization
• ~ 12 Years IT Consulting & Project Management
• Network Architecture & Design
• App Dev
• Database Design & Management
• System Architecture
• American (tomorrow will be an Israeli) 
• Contact: alex@cybereason.com, @awfrazer
Alex Frazer

Our goals for this evening:
1. Who/what are the hacking team?
2. The leak - What happened there?
3. Interesting stuff we found
4. How were the HackingTeam tools used for an attack operation
5. Demo
6. Beer (which you can actually drink right now…)

Background
• Alberto Ornaghi and Marco Valleri created some tools, the most
noticeable of them was EtterCap (MITM tool).
• Italian police used EtterCap to monitor and record skype calls.
• Italian police Asked Ornaghi and Valleri to develop the software further –
HackingTeam was born!

Exploits – what are they?
An exploit is a way of manipulating a program to run a piece of
code it wasn’t supposed to run in the first place.

Background (continued)
Hacking team:
• Italian “cyber” solution vendor
• Offensive & Defensive (pen-testing) solutions
• Wrote exploits and purchased them from third parties
• Provided services to a lot of agencies, governments,
regimes and even private corporations – Some of them
are conspicuous
• Created the RCS (Remote Control System) which we are
going to discuss today

The Hacking Team story…
• HackingTeam is breached in the beginning of July
• Website hacked and defaced
• HackingTeam’s own twitter account (@hackingteam) is
hacked and used to post a link to a 400+ GB torrent file
with all of their data!

• Inside that torrent file was a treasure:
• All of the exchange server data
• All of the RCS installers + manuals + source code
• Important and private documents
• Screenshots from employees machines
• All of the GIT repository
• Pirated software and pirated versions of Operating
systems
• 3 full server images! (Windows Attack server,
Android attack server and the helpdesk support
server)
The story continues…

Around 21:00 on July 5th we realized that
this is a disaster for the HackingTeam

But for us…

HT had some
“interesting” clients

Wait… 400 Gigabytes?!

How did it happen?

Don’t they have security people?

Meet mr Christian Pozzi

Damage control…

With courtesy of Hacking Team

What is RCS ?

Remote Control System

Powerful spying tool

It allows the attacker to have TOTAL control

Cross-Platform

Agent Modules
• Screenshots
• Collection of skype calls
• File transfer
• Bitcoin data exfiltration

Agent Modules

Building An Agent

Anonymization

System Information

Scalable Architecture

Campaign Flow
RCS User Decides to
Create New
Campaign
RCS User creates RCS
Agent for Campaign
RCS User Opens Support
Ticket with Hacking Team
To GenerateCampaign
Payload
RCS User Decides Infection
Vector
Web/Network Injection Vector
Write Agent to UEFI
Firmware
Physical Vector
Target Device
DeviceType
Persistence Vector
Desktop
Deploy APK on Device
Mobile Device
Write Agent Installer
to U3 Device
U3 USB
Bootable USB/CD/
DVD
Offline Install
Hosted Exploit?
No
Deploy To Customer
VPS
No
HackingTeam Deploys
to own VPS
Yes
Targeting Method
QR Code
Use Network Injector?
HTML
Yes
Network
Injection Type
Binary
Spearfishing E-mail

VPS to own VPS
Targeting Method
QR Code Accessed by
Target
QR Code
Link Presented as
SMS to Target
SMS
Exploit Page
Delivered to Target
Modified [Melted]
Binary Delivered to
Target
Link Presented to
Target through E-mail
Spearfishing E-mail
Scout Agent Installed
on Target
Scout Communicates
with C2 Server via
Anonymizer
Machine Analysis
Uninstall
Virtualization/Blacklisted Program
Indications Present
Upgrade to Soldier
Unsafe Environment
(Analysis Tools, A/V, etc)
Upgrade to Elite
Safe to Install

Let’s talk about the Network Injector

Meet RCS
Every infection target (customer) has an ID.

This is what a hosted infection link looks like:
http://46.38.63.194/docs/iAj3Ip/qieex.html
Meet RCS

This is where the fun starts…
Meet RCS

Meet RCS

Adwords?

HackingTeam delivered 2 exploits.

CVE-2015-5119 – Flash use-after-free vulnerability
in the ByteArray class in the AS3 implementation of
FlashPlayer
For code execution

Let’s look at some of the files

PHP is used for Browscap and for the rest of the
webserver related stuff (target fingerprinting)

Python is used for all of the ‘heavy lifting’
Xp_filter.py

Chrome_non_chrome_filter.py

But wait… privesc_filter.py?

Again, news buzzwords.
‘news’ is the priv_esc exploit + the RCS agent

News file descrambled and decrypted

CVE-2015-2426 – Buffer underflow in atmfd.dll,
Windows Adobe Type Manager Library.
For privilege escalation

mynewsfeeds.info

112 Jerusalem St., Tel Aviv

There is a logic here

Mod ReWrite RegEx Match
/docs/[a-zA-Z0-9]{6}/
Infections Left = 0
Return 404
Is Campaign Expired?
Process Invalid
No
Yes
Yes
Yes
No
UserAgent Filter Match
No
No
Log Valid
Yes
Log Invalid
Infect
Potential Victim

Android 4.x Remote Infection

Demo

Questions

www.cybereason.com
you.
Thank
Amit Serper:
amit@cybereason.com
@0xamit
Alex Frazer:
alex@cybereason.com
@awfrazer
Contact Us

Cybereason - behind the HackingTeam infection server

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cybereason - behind the HackingTeam infection server

Similar to Cybereason - behind the HackingTeam infection server (20)

Recently uploaded

Recently uploaded (20)

Cybereason - behind the HackingTeam infection server

Editor's Notes