Chinese group said to use HackingTeam tools to spread ransomware, cryptominers

A sophisticated Chinese cybercrime group is using old, leaked computer code from a notorious cyber-arms dealer known as HackingTeam to breach thousands of companies, mostly based in Asia, according to new research by Israel cybersecurity firm Intezer.

The latest observation shows how HackingTeam’s breach in 2015, when its wares leaked online for anyone to copy, is still having effects on global security.

HackingTeam claims that it only sells its “lawful intercept” product to governments and law enforcement agencies, but prior investigations have shown the extent to which these tools are often abused by authoritarian regimes to target otherwise innocent dissidents. The 2015 leak provided these powerful capabilities to a wide array of people, including apparently cybercriminals.

Intezer explained in a blog post published Tuesday that researchers first noticed a series of unique remote access trojans, cryptominers and ransomware variants for Windows, Linux and Android platforms while monitoring public data feeds. In addition, the group appears to be focused on hacking into personal cryptocurrency wallets to steal Monero, a cryptocurrency that’s become synonymous with criminal schemes.

Over the last year, the malware appeared to be spread by a Chinese entity that Intezer dubbed “Iron Cybercrime Group,” equipped with HackingTeam’s RCS exploit, a type of spyware. Further analysis showed the actual exploits themselves were already publicly available, suggesting they were not directly purchased but rather taken from an online repository storing the leaked material.

“This is likely an advanced Chinese criminal group,” Ari Eitan, head of research with Intezer, told CyberScoop. “It’s rare to see people using the old HT [HackingTeam] code, today, because with stuff like this it’s not as simple as a copy and paste. Lot’s of other source code is effective and easier to adopt. … What we see is a big operation with recently written tools.”

The incident also provides a window into how domestic hacking groups in China develop their malware to specifically evade popular, domestic anti-virus products. The aforementioned backdoors, cryptominers and ransomware variants recently attributed to Iron Cybercrime Group were all configured in a way to avoid Chinese cybersecurity firm Qihoo 360’s anti-virus engine, according to Intezer. Whenever the group’s malware detected Qihoo, the final payload wouldn’t be installed on the targeted computer.

Historically, experts say the dividing line between China’s government and criminal hacking sphere is blurred. The Chinese government is known to use contractors. And in the past, Chinese soldiers responsible for official, Beijing-backed cyber-operations were also caught committing crimes against commercial American companies unassociated with the U.S. government, based on indictments made by the Justice Department.

Other activity attributed to Iron Cybercrime Group was previously captured by cybersecurity firm MalwareBytes.