Hacking Team, an Italian spyware vendor with a checkered past that always seems to operate in the shadows of cyber intrusions and scandal. Just a month later, in July of 2015, the company suffered a significant breach. This collision resulted in the leak of hundreds of gigabytes of internal data, including an absolute treasure trove of tools and exploits that they used throughout their operations. This event ultimately not only embarrassed the company, but exposed the risks that come with the wide-ranging surveillance abilities it wields.
After the hack, Hacking Team’s hardware was also stolen in Panama City, adding just another layer of absurdity to the company’s position in the cybersecurity realm. Soon enough, by April 2016, the company ran into even wider troubles when its license to sell products outside of Europe was rescinded. Despite these challenges, Hacking Team continued to operate, offering offensive intrusion and surveillance technology to various governments, law enforcement agencies, and corporations worldwide.
Memento Labs, aka mem3nt0 Heirs of Hacking Team have a powerful ally in Memento Labs. This change came after its merger with InTheCyber Group in April 2019. The company is under fire for deploying LeetAgent spyware on behalf of police. This tool has thus far been the biggest asset to highly-targeted cyber operations.
The Evolution of Spyware
Hacking Team has long been recognized for its development of spyware capable of monitoring the Tor browser, a popular platform for anonymous communication. After installation is complete, the spyware connects to a command-and-control (C2) server over HTTPS. Through this connection, it can accept commands that open up a broad range of features. This includes being able to execute commands, control processes, and manipulate files on infected devices.
What exactly can this malware do? It excels at the mundane, like traversing directories, but it captures more sophisticated operations, like injecting shellcode and tracking keyloggers. For example:
- 0xC033A4D (COMMAND) – Run command using cmd.exe
- 0xECEC (EXEC) – Execute a process
- 0xF17ED0 (FILE \xD0) – Read a file
- 0x1213C7 (INJECT) – Inject shellcode
As these commands show, Hacking Team’s spyware gave it sweeping dominion over infected machines. Ferrunin Trojans As previously mentioned, Hacking Team’s Windows malware is now in maintenance mode. The company has since turned its attention to mobile platforms, showing how they’ve learned to change with the times.
In 2022, an Italian software company named Hacking Team released Dante spyware as a replacement for its previous Remote Control Systems (RCS). Dante is outfitted with multitudes of protections built to avoid analysis, making it a truly powerful weapon to be deployed against any unknown cybersecurity countermeasures.
The New Threat Landscape
Memento Labs has previously highlighted its participation in many of these offensive cyber operations, especially those targeting Russia and Belarus. Reports show that the company’s tools have been instrumental in executing targeted spear-phishing campaigns. These attacks have focused on media organizations, higher education institutions, academic research centers, and government agencies in these countries.
Boris Larin, a cybersecurity expert, provided insights into the recent activities involving Memento Labs:
“We observed multiple intrusions against organizations and individuals in Russia and Belarus, with lures aimed at media outlets, universities, research centers, government bodies, financial institutions, and others in Russia.”
The use of LeetAgent backdoor has also been recently discovered as a tactical enabler in these operations.
“In several incidents, the LeetAgent backdoor used in Operation ForumTroll directly launched the more sophisticated Dante spyware.” – Boris Larin
Larin’s in-depth analysis sheds a sobering light on the increasing sophistication of cyber threats coming out of Memento Labs. In particular, he highlights the strategic advantages that knowledge of Russian language and culture provides. Advantages that are clear in their work.
“Proficiency in Russian and familiarity with local peculiarities are distinctive features of the ForumTroll APT group, traits that we have also observed in its other campaigns.” – Boris Larin
He pointed out that some attackers may not be native Russian speakers. This indicates that there are cases when their histories are not the same.
“However, mistakes in some of those other cases suggest that the attackers were not native Russian speakers.” – Boris Larin
This new information reinforces a growing concern that foreign actors could easily take advantage of local vulnerabilities found within these regions.
Implications for Cybersecurity
As the aggressive activities of Memento Labs indicate, that is a dangerous trend in today’s cybersecurity landscape. With advanced tools like LeetAgent and Dante spyware at their disposal, organizations are urged to enhance their defenses against potential intrusions.
The implications are more than just technical matters. As geopolitical tensions spill over from physical to digital domains, so too do their effects on political and social dimensions. This connection between Hacking Team’s legacy and current operations highlights the ongoing menace that such advanced spyware vendors represent.
As the malefactor’s digital toolkit grows, so does their playbook. As cyber threats grow more complex and discerning, organizations need to be vigilant and proactive while adopting a robust cybersecurity posture to protect sensitive data and ensure operational integrity.