A recent strain of Mac malware has left researchers speculating whether or not the Hacking Team has resumed operations.
The malware installs a version of the Hacking Team's Remote Code Systems (RCS) tool that appears to rely on old source code but uses Apple's binary protection feature and a small anti-debugging trick, Pedro Vilaça, a SentinelOne security researcher, wrote in a Monday blog post.
Either someone is maintaining and updating HackingTeam's code or this is indeed a legit sample compiled by the Hacking Team themselves, he said.
Vilaça reported that the code checks for newer OS X versions and does not exist in the Hacking Team's leaked source code.
He went on to say that the dropper technique and the code sample are more or less the same, but the malware's encryption key is dated three months after the Hacking Team compromise.
Patrick Wardle, a security researcher at Synack , also examined the malware and said the latest sample appears to install a new version of the old malware, but uses several tricks to evade detection and make it harder to analyze.
It is still unclear how the malware gets installed. Both researchers said complexity of the malware suggests that it isn't the work of amateurs.
As of Feb. 4, none of the 54 AV companies listed in Google's VirusTotal scanning service were able to detect the malware, and as of Feb. 29 it was only detected by 10 of 56 companies.
