It's not clear if the zero-day exploit for CVE-2013-0633 was sold by HackingTeam together with the surveillance malware or if whoever purchased the program obtained the exploit from a different source, Raiu said.
HackingTeam did not immediately respond to a request for comment.
In previous attacks detected by Kaspersky Lab, DaVinci was distributed via exploits for Flash Player vulnerabilities that were discovered by French vulnerability research firm Vupen, Raiu said.
Vupen openly admits to selling zero-day exploits, but claims that its customers are government and law enforcement agencies from countries that are members or partners of the NATO, ANZUS or ASEAN geopolitical organizations.
The DaVinci installer dropped on computers by the CVE-2013-0633 exploit in the first stage of the attack was signed with a valid digital certificate issued by GlobalSign to an individual named Kamel Abed, Raiu said.
GlobalSign did not immediately respond to a request for more information about this certificate and its current status.
This is consistent with past DaVinci attacks in which the dropper was also digitally signed, Raiu said. Previous certificates used to sign DaVinci droppers were registered to one Salvetore Macchiarella and a company called OPM Security registered in Panama, he said.
According to its website, OPM Security sells a product called Power Spy for ¬200 (US$267) under the headline "spying on your husband, wife, children or employees." Power Spy's feature list is very similar to the feature list of DaVinci, which means that OPM might be a reseller of HackingTeam's surveillance program, Raiu said.
This is not the first case when lawful surveillance malware has been used against activists and dissidents in countries where free speech is limited.
There are previous reports of FinFisher, a computer surveillance toolkit developed by U.K.-based company Gamma Group International, being used against political activists in Bahrain.
Researchers from the Citizen Lab at the University of Toronto's Munk School of Global Affairs also reported back in October that HackingTeam's RCS (DaVinci) program was used against a human rights activist from the United Arab Emirates.
This type of program is a ticking time bomb because of the lack of regulation and uncontrolled selling, Raiu said. Some countries have restrictions on the export of cryptographic systems, which would theoretically cover such programs, but these restrictions can be easily bypassed by selling the software through offshore resellers, he said.
