'Aggressive' espionage-for-hire operation behind new Mac spyware

An Indian malware service is building attack software for projects involving secret surveillance.

Security researchers have uncovered an "aggressive" espionage-for-hire service that they say hacked Norwegian carrier Telenor and more recently built Mac malware to spy on an Angolan activist.

Read this

'Lame' Mac malware finds success in spearphishing

Barely concealed security threat found on activist's Mac.

Read More

Previously unseen Mac spyware that was recently found an Angolan activist's laptop was made by a well-organised group of Indian hackers who have been in the espionage business for the past three to four years, according to new research by Norwegian security firm Norman.

Norman's chief researcher, Snorre Fagerland, began investigating the group after Norway's largest carrier Telenor revealed it was compromised in a spearphishing attack on executives in March.

Telenor made the rare move of handing samples of the malware to Norway's National Security Authority, NorCERT, which Fagerland and Shadowserver Foundation researcher Ned Moran were able to analyse for their investigation.

According to Fagerland, the group behind the malware used in the Telenor attack have built an extensive command and control network of over 600 domains that have been used to distribute hundreds of pieces of keylogger and other information-stealing malware created by the group, or simply host phishing pages. 

"I think we have about 800 different [malware] samples in our sample set that we know are related to this," Fagerland told ZDNet.

The group's main method of attack is phishing emails combined with malware, said Fagerland, who dubbed the operation "HangOver" because the term is encoded in a family of malware created by the group. Much of the coding is outsourced to contractors, however.  

"The data we have appears to indicate that a group of attackers based in India may have employed multiple developers tasked with delivering specific malware," Fagerland said.

For example, one sample included a reference to "VB Team Matrix Production", which indicated a team was dedicated to building with Visual Basic development tools. "The projects seem to be delegated into tasks, of which some seem to follow a monthly cycle," Norman notes in its report. 

Targets were based in a range of countries, including Pakistan US, China, Iran, Thailand, Jordan, Indonesia, the UK, Norway, Germany, Austria, Poland, and Romania.

Fagerland said he was certain the Mac spyware found on the Angolan activist's computer, which was signed with a valid Apple Developer ID account and designed to siphon screenshots from victims, was the work of HangOver hackers.

"The reason we're certain this malware was from the same group is because we know that it connects to the same command and control," he said.

Despite successfully compromising Telenor, the hackers are not advanced and rely on exploits for old, patched Internet Explorer, Java and Microsoft Word flaws. However, the group is well-organised, according to Fagerland.

"They're good at bulk actions like registering domains in bulk and managing many computers, but the code is not that advanced and the operational security appears to have been really bad in terms of covering their tracks; other players in this environment are much better at that," he said.

The researchers uncovered a number of unsecured command servers that contained data that had been stolen from malware infected computers, while the hackers signed their malicious creations with the same certificate. 

"The group appears not to be very advanced, but they are really aggressive in picking targets and once they have picked the target they are trying over and over again," Fagerland said.

The company is certain the group is located in India due to repeat use of the same IP addresses, website domain registrations and identifiers in the malicious code itself.