Hacking Team RCS and other tools

Forum for analysis and discussion about malware.
driverobject
Posts: 27
Joined: Sat Oct 23, 2010 11:40 pm
Location: Earth

Hacking Team RCS and other tools

Post by driverobject » Mon Jul 06, 2015 10:41 pm

Some of the claims by these guys seem to be way too long a shot such as decrypting PGP and others. While malware installed on a system could gain access to the unencrypted traffic, can anybody here actually confirm there is merit to some of the overblown features they are talking about? This comes to mind after the recent hack they were exposed to. And they also state the most advanced infection vectors however in one attack they published on the CitizenLab https://citizenlab.org/2015/03/hacking- ... d-spyware/ they are using a .doc file attack which seems a bit outdated for an attack done in 2014.
-------------
DriverObject

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Hacking Team RCS and other tools

Post by EP_X0FF » Tue Jul 07, 2015 5:28 am

Except exploits I found nothing interesting (for me at least) in this pack of junk. What exactly you want to know, are they so good as they claimed for marketing purposes?
Ring0 - the source of inspiration

driverobject
Posts: 27
Joined: Sat Oct 23, 2010 11:40 pm
Location: Earth

Re: Hacking Team RCS and other tools

Post by driverobject » Tue Jul 07, 2015 6:04 am

yeah, did they actually have 0 days and a solid malware or just good enough malware? teaching those agencies how to send good phishing emails with known document exploits?
btw I'm still trying to download a magnet link to the files, it's been 8 hours still downloading metadata :) any better way to download it?
-------------
DriverObject

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Hacking Team RCS and other tools

Post by EP_X0FF » Tue Jul 07, 2015 8:17 am

Shits in dirs view can be found here http://ht.transparencytoolkit.org/, files downloadable. Currently most interesting folder http://ht.transparencytoolkit.org/gitla ... i-Browser/ unknown Adobe zeroday.

From what I see they bought some exploits and probably developed some, for example they have self made font fuzzer.
Ring0 - the source of inspiration

driverobject
Posts: 27
Joined: Sat Oct 23, 2010 11:40 pm
Location: Earth

Re: Hacking Team RCS and other tools

Post by driverobject » Tue Jul 07, 2015 11:02 am

Thank you as always great information.
-------------
DriverObject

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Hacking Team RCS and other tools

Post by Xylitol » Tue Jul 07, 2015 12:26 pm

Haven't looked at binaries yet, i'm just exploring the content online and seem there is a lot of warez/garbage/junk, i noticed anyway some files.

Githubs:
https://github.com/9b/hackingteam_infra
https://github.com/hackedteam
https://github.com/informationextraction

Online mirrors (browse with caution):
hxtps://ht.transparencytoolkit.org/
hxtps://hacked.thecthulhu.com/HT/
hxtp://hacking.technology/Hacked%20Team/
hxtp://ht.musalbas.com/

ID Cards: /Amministrazione/07 - PERSONALE/06 - Documenti Personali/
Spanish intelligence agency: /Amministrazione/01 - CLIENTI/6 - Offensiva/CNI Documentazione 2010.rar
5k Job contract: /Amministrazione/07 - PERSONALE/05 - Contratti/3 - CONTRATTI/Pelliccione/Contratto 01-03-13.pdf
VMprotect: /rcs-dev\share/HOME/guido/9.2-vmprotect-licenza.zip
Themida: /rcs-dev\share/HOME/Ivan/full_themida_core/
IDA key file v5.4: /rcs-dev\share/HOME/rev/ida.key
VPS credentials: /rcs-dev\share/HOME/cristian/DocVpsDaniele/VPS_LIST.txt
httpX: /rcs-dev\share/HOME/Naga/httpX/
Backdoor: /rcs-dev\share/HOME/ALoR/htdocs/conf.php
Exploit kit ?: /rcs-dev\share/HOME/ALoR/htdocs/
elevator.c: /gitlab/Windows-Multi-Browser/2_stage_shellcode_source/source_pie_8.1/elevator.c
VUPEN stuff: /FileServer/FileServer/Hackingteam/OLD/vupen security exploits/
RCS lics: /FAE DiskStation/4. INTERNAL/4.1. Product Licenses/

Fun/drama tweets:
https://twitter.com/ydklijnsma/status/6 ... 9535885313
https://twitter.com/pwnallthethings/sta ... 2005181440
https://twitter.com/hertzmau5/status/61 ... 52/photo/1
https://twitter.com/Mario_Greenly/statu ... 6032539648
@christian_pozzi twitter account got deleted, the community manager of Hacking Team will have a hard week.

Collateral damage (Blue coat partner portal infos leak).
Image
I suppose there is more but bored to test passwords.

USForce
Global Moderator
Posts: 98
Joined: Mon Mar 08, 2010 9:03 am

Re: Hacking Team RCS and other tools

Post by USForce » Thu Jul 09, 2015 10:42 am

To me it looks vintage piece of code - apart from the 0day exploits, some of them probably bought by Vupen. I agree, the font fuzzer has been written by them, but I raise some doubt about the Flash 0day.

About the Windows driver code it's quite questionable I'd say - some parts of the code look written by somebody who has no clue what he's doing

User avatar
R136a1
Forum Admin
Posts: 225
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Hacking Team RCS and other tools

Post by R136a1 » Thu Jul 09, 2015 1:08 pm

Your are right, the Flash exploits were purchased from a private exploit developer: https://twitter.com/VoxelNight/status/6 ... 3968707584

In the past, this guy released some exploits publicly and also contributed to bug bounty programs.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Hacking Team RCS and other tools

Post by Xylitol » Thu Jul 09, 2015 4:23 pm

Subject: some ideas that might help ...
https://wikileaks.org/hackingteam/emails/emailid/493916

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Hacking Team RCS and other tools

Post by rkhunter » Fri Jul 10, 2015 11:03 am


Post Reply