Saturday October 20, 2018
Home Science & Technology Wild Neutron:...

Wild Neutron: A powerful threat returns with new tricks and victims

0
//
62
Republish
Reprint

In 2013, a hacker group known to Kaspersky Lab as “Wild Neutron” (also known as “Jripbot” and “Morpho”) attacked several high profile companies including Apple, Facebook, Twitter and Microsoft. After the incident was widely publicized, the threat actor went dark for almost a year. However, in late 2013 and early 2014, the attacks resumed and have continued in 2015.

The actor uses a stolen valid code verification certificate and an unknown Flash Player exploit to infect companies and private users around the world and steal sensitive business information.

Kaspersky Lab researchers were able to identify targets of Wild Neutron in 11 countries and territories, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

They include:

• Law firms
• Bitcoin-related companies
• Investment companies
• Groups of large companies often involved in M&A deals
• IT companies
• Healthcare companies
• Real estate companies
• Individual users

The focus of the attacks suggests that this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes Kaspersky Lab researchers believe it’s a powerful entity engaged in espionage, possibly for economic reasons.

Map_Wild Neutron Hacker group Victims

The attack

The initial infection vector of the recent attacks is still unknown, although there are clear indications that victims are exploited by a kit that leverages an unknown Flash Player exploit through compromised websites. The exploit delivers a malware dropper package to the victim.

In the attacks observed by Kaspersky Lab researchers, the dropper was signed with a legitimate code verification certificate. The use of certificates allows malware to avoid detection by some protection solutions. The certificate used in the Wild Neutron attacks appears to be stolen from a popular manufacturer of consumer electronics. The certificate is now being revoked.

After getting in the system, the dropper installs the main backdoor.

In terms of functionality, the main backdoor is no different to many other Remote Access Tools (RATs). What really stands out is the attacker’s care in hiding the command and control server (C&C) address and its ability to recover from a C&C shutdown. The command and control server is an important part of the malicious infrastructure as it serves as a “Homebase” for the malware deployed on victims’ machines. Special measures built into the malware help the attackers to protect the infrastructure from any possible C&C-takedowns.

Mysterious origin

The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication.

“Wild Neutron is a skilled and quite versatile group. Active since 2011, it has been using at least one zero-day exploit, custom malware and tools for Windows and OS X. Even though in the past it has attacked some of the most prominent companies in the world, it has managed to keep a relatively low profile via solid operational security which has so far eluded most attribution efforts. The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mind-set and interests,” said Costin Raiu, Director Global Research and Analysis Team at Kaspersky Lab.

Kaspersky Lab products successfully detect and block the malware used by the Wild Neutron threat actor with the following detection names:

Trojan.Win32.WildNeutron.gen,
Trojan.Win32.WildNeutron.*,
Trojan.Win32.JripBot.*,
Trojan.Win32.Generic

Click here for reuse options!
Copyright 2015 NewsGram

Next Story

Twitter bans Russia-based Kaspersky Lab from buying ads

0
Twitter
Twitter India partners White Swan Foundation, unveils special emoji. Pixabay

Twitter has banned Russia-based cyber security firm Kaspersky Lab from advertising on its platform, stating that the company “operates using a business model that inherently conflicts with acceptable Twitter Ads business practices.”

In an open letter to Twitter CEO Jack Dorsey, Kaspersky Lab’s Founder Eugene Kaspersky has termed the move as “potential political censorship”.

Twitter icon.
Twitter bans ads. Pixabay

“At the end of January, Twitter unexpectedly informed us about an advertising ban on our official accounts where we announce new posts on our various blogs on cybersecurity (including, for example, Securelist and Kaspersky Daily) and inform users about new cyberthreats and what to do about them,” Eugene wrote on Friday.

“In a short letter from an unnamed Twitter employee, we were told that our company ‘operates using a business model that inherently conflicts with acceptable Twitter Ads business practices,'” he added.

Kaspersky Lab spent around $93,000 to promote its content on Twitter in 2017 and its India advertising share on Twitter was around $13,580.

“No matter how this situation develops, we won’t be doing any more advertising on Twitter this year. “The whole of the planned Twitter advertising budget for 2018 will instead be donated to the @EFF. They do a lot to fight censorship online,” Eugene tweeted on Saturday.

According to a report in Cyberscoop, a Twitter spokesperson pointed towards the September 2017 decree from US Department of Homeland Security (DHS) that ordered federal agencies to remove Kaspersky products from their networks.

Also Read: New algorithm may help locate fake Facebook and Twitter accounts

“Kaspersky Lab may remain an organic user on our platform, in accordance with the Twitter Rules,” a Twitter spokesperson told The Register. “Twitter is playing into the hands of cybercriminals when it hinders the delivery of important information on protection from cyberthreats,” Eugene said.

“The majority of our promoted content on Twitter has been about cybersafety and research and reports about the information security industry. We believe that this content brings value to a variety of Twitter users.”

“Twitter, if this is a matter of a decision being made in error, please openly admit this; people’d forgive you – everyone makes mistakes! I think that would be the only civilized way to quash any doubts about potential political censorship on Twitter,” Eugene said.

Twitter to soon release Snapchat like feature. VOA
Fake accounts on Twitter are many. VOA

The Kaspersky Lab founder said that more than two months have passed and the only reply he received from Twitter was the copy of the same boilerplate text.

“Accordingly, I’m forced to rely on another (less subtle but nevertheless oft and loudly declared) principle of Twitter’s – speaking truth to power – to share details of the matter with interested users and to publicly ask that you, dear Twitter executives, kindly be specific as to the reasoning behind this ban,” he said. IANS