Never miss a story

Get subscribed to our newsletter


×

In 2013, a hacker group known to Kaspersky Lab as “Wild Neutron” (also known as “Jripbot” and “Morpho”) attacked several high profile companies including Apple, Facebook, Twitter and Microsoft. After the incident was widely publicized, the threat actor went dark for almost a year. However, in late 2013 and early 2014, the attacks resumed and have continued in 2015.

The actor uses a stolen valid code verification certificate and an unknown Flash Player exploit to infect companies and private users around the world and steal sensitive business information.


Kaspersky Lab researchers were able to identify targets of Wild Neutron in 11 countries and territories, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

They include:

• Law firms
• Bitcoin-related companies
• Investment companies
• Groups of large companies often involved in M&A deals
• IT companies
• Healthcare companies
• Real estate companies
• Individual users

The focus of the attacks suggests that this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes Kaspersky Lab researchers believe it’s a powerful entity engaged in espionage, possibly for economic reasons.


The attack

The initial infection vector of the recent attacks is still unknown, although there are clear indications that victims are exploited by a kit that leverages an unknown Flash Player exploit through compromised websites. The exploit delivers a malware dropper package to the victim.

In the attacks observed by Kaspersky Lab researchers, the dropper was signed with a legitimate code verification certificate. The use of certificates allows malware to avoid detection by some protection solutions. The certificate used in the Wild Neutron attacks appears to be stolen from a popular manufacturer of consumer electronics. The certificate is now being revoked.

After getting in the system, the dropper installs the main backdoor.

In terms of functionality, the main backdoor is no different to many other Remote Access Tools (RATs). What really stands out is the attacker’s care in hiding the command and control server (C&C) address and its ability to recover from a C&C shutdown. The command and control server is an important part of the malicious infrastructure as it serves as a “Homebase” for the malware deployed on victims’ machines. Special measures built into the malware help the attackers to protect the infrastructure from any possible C&C-takedowns.

Mysterious origin

The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication.

“Wild Neutron is a skilled and quite versatile group. Active since 2011, it has been using at least one zero-day exploit, custom malware and tools for Windows and OS X. Even though in the past it has attacked some of the most prominent companies in the world, it has managed to keep a relatively low profile via solid operational security which has so far eluded most attribution efforts. The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mind-set and interests,” said Costin Raiu, Director Global Research and Analysis Team at Kaspersky Lab.

Kaspersky Lab products successfully detect and block the malware used by the Wild Neutron threat actor with the following detection names:

Trojan.Win32.WildNeutron.gen,
Trojan.Win32.WildNeutron.*,
Trojan.Win32.JripBot.*,
Trojan.Win32.Generic


Popular

Photo by Martin de Arriba on Unsplash

Diwali is known for gifting and jewellery tops the list, with the focus on buying gold and diamonds.

Diwali is known for gifting and jewellery tops the list, with the focus on buying gold and diamonds. ORRA jewellery, a trusted diamond jewellery brand is gearing up for the festive and bridal season. As they open their 50th store in the country, IANSlife caught up with Dipu Mehta, Managing Director, ORRA, to find out how the company plans to ramp up its now 50 company-owned and operated stores, expanding its retail presence in Tier-1 and 2 cities and target the millennial segment.

Read Excerpts:

Q: The brand is expanding in tier-2 and tier-3 cities, is brick and mortar the way forward to create a presence in this segment?

A: ORRA currently is expanding in metros plus tier-2 cities. But we aren't opening stores in any new markets. We are only opening in markets where we are already present. We are increasing the number of stores within cities as the demand for jewellery buying has also increased. Currently, we are present in 25 cities with 50 stores, and by the end of the month, we would be launching another seven stores.
Also with a category like jewellery, it is important to have brick and mortar stores as the customers like to see and hold higher value jewellery before purchasing. Jewellery buying is an important decision to the customers and having a store gives them that assurance.

ORRA logo ORRA currently is expanding in metros plus tier-2 cities. | Wikimedia Commons

Keep Reading Show less
Wikimedia Commons

The Centre on Wednesday directed all Union Ministries and Departments to clear Air India's dues immediately.

The Centre on Wednesday directed all Union Ministries and Departments to clear Air India's dues immediately. An office memorandum from the Finance Ministry's Department of Expenditure said: "Recently, the Government of India has decided to disinvest Air India, and the process of disinvestment of Air India and Air India Express is ongoing."

"Air India has stopped extending credit facilities on account of purchase of air tickets. Therefore, all Ministries or Departments are directed to clear Air India's dues immediately." "Air tickets from Air India may be purchased in cash till further instructions."



In 2009, the Centre had mandated that Central government officers travel via Air India for all official purposes including availing of LTC. On Monday, conglomerate Tata Group entered into a share purchase agreement with the Central government for buying out the latter's stake in national carrier Air India, Air India Express, and AISATS.

Keep Reading Show less
Pixabay

Sports betting has become increasingly popular among the youth in recent times

Sports betting has been around for centuries for the audience to not only watch the sport but to get more deeply involved in the match. It is a fun and often profitable activity for the viewer to win some extra fortune or simply get some extra sweat while watching the game. At first glance, sports betting may look like it's pure luck, but when you indulge deeper into the activity you realize it is more of a calculative and research activity than just pure luck. We must note that yes, luck does play a certain role to some extend but a win is not completely dependent on luck, if you're putting your bets on a certain team you have to make sure to do some research about the players on the team, history of wins and losses of the team and compare the probability of winning and then place bets.

Even though sports betting has existed since the ancient era, it was not until recently that it became increasingly popular among the youth. This happened due to the legalization of the activity and the rise of online sports betting. The technological revolution has expanded the sports betting industry, offering the bettors new markets and ways to bet. The only major difference between online bookmarkers and traditional brick-and-mortar venues of sports betting is that now you can place bets online from your mobile devices, laptops, computers etc.

Keep reading... Show less