Wild Neutron is uncovered by security researchers Symantec and Kaspersky
Two security firms have discovered a shadowy new hacker collective known as Wild Neutron that has targeted a number of big name firms in the tech industry.
The hackers also go by the name Jripbot and Morpho, and since 2011 it has attacked targets across the world. The hackers are said to focus on corporate espionage and are financially (not politically) motivated.
The group has apparently hacked companies such as Apple, Facebook, Twitter and Microsoft, as well as bitcoin firms, law firms, investment companies, healthcare and real-estate companies, as well as individual users.
“The focus of the attacks suggests that this is not a nation-state sponsored actor,” said Kapersky Lab. “However, the use of zero-days, multi-platform malware as well as other techniques makes Kaspersky Lab researchers believe it’s a powerful entity engaged in espionage, possibly for economic reasons.”
Its infection vector is still unknown, but it is thought that the victims are compromised by a kit that leverages an unknown Flash Player exploit through compromised websites. “The exploit delivers a malware dropper package to the victim,” said the security vendor. The dropper was apparently signed with a legitimate code verification certificate (from a popular maker of consumer electronics), which allowed the malware to avoid detection by some protection solutions. That certificate is now being revoked.
After getting in the system, the dropper installs the main backdoor, and it seems that the hackers have taken a great deal of care in hiding the command and control server (CC) address and its ability to recover from a CC shutdown.
“Wild Neutron is a skilled and quite versatile group. Active since 2011, it has been using at least one zero-day exploit, custom malware and tools for Windows and OS X,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.
“Even though in the past it has attacked some of the most prominent companies in the world, it has managed to keep a relatively low profile via solid operational security which has so far eluded most attribution efforts,” said Raiu. “The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests.”
Symantec meanwhile has confirmed the group’s existence, but it calls the hacker gang “Butterfly.”
“Butterfly is technically proficient and well resourced,” said Symantec. “The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organisation, it will clean up after itself before moving on to its next target.
“This group operates at a much higher level than the average cybercrime gang,” it said. “It is not interested in stealing credit card details or customer databases and is instead focused on high level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider trading purposes.”
Are you a security pro? Try our quiz!