How the Wild Neutron Hacker Group Avoids Detection
The hacker group known as Wild Neutron is still actively attacking companies around the world, a number of years after the group was first discovered in 2011. Both Kaspersky Lab and Symantec have reported renewed activity from Wild Neutron (Symantec now refers to the group as "Butterfly") this year.
Wild Neutron/Butterfly has been implicated by Kaspersky Lab and Symantec as being involved in zero-day attacks against Apple, Facebook, Twitter and Microsoft back in 2013.
"Butterfly is a disciplined, technically capable group with a high level of operational security," Symantec wrote in a blog post. "Having managed to increase its level of activity over the past three years while maintaining a low profile, the group poses a threat that ought to be taken seriously by corporations."
According to Kaspersky Lab, the new attacks from Wild Neutron/Butterfly in 2015 involve the use of a code signing certificate that was allegedly stolen from electronics vendor Acer, as well as a new Flash Player exploit.
Adobe issued an update for Flash Player on July 8, patching 36 vulnerabilities, but it's not clear at this point if the Flash vulnerability used by Wild Neutron is one that was patched.
"We didn't have a chance to look at the exploit; we've only seen indirect artifacts," Marta Janus, security researcher for the Global Research and Analysis Team at Kaspersky Lab, told eWEEK. "That's why it is not possible, at the moment, to find out how exactly the exploit was used."
Given that the hacker group has been active for several years, it's interesting to note that the hackers have yet to be caught by law enforcement. Janus noted that the attackers have been extremely careful in covering their tracks. She added that the Wild Neutron attackers target just a small number of precisely selected victims, look for the information that might be useful for them, and once they get it, they back away quickly, removing all the malware components and signs of malicious activity from the system.
To avoid initial detection, the hacker group's malware dropper uses a stolen certificate.
"Malicious files are deleted with the use of a 'shred' utility, which overwrites a file with random content several times before renaming it and finally removing it from the file system," Janus said. "This approach prevents the files from being restored in the event of forensic analysis."
The command and control (C&C) Web addresses for Wild Neutron are also very well-protected, she added. The C&C locations are double encrypted in a way that allows decryption only on the same machine the malware was run on, with the same user logged in.
It's clear to me that Wild Neutron is investing heavily in avoiding detection and intends to stay alive for as long as it can. I suspect that Wild Neutron's efforts at avoiding detection aren't entirely unique either, as attackers overall are becoming increasingly sophisticated to avoid detection by security vendors and law enforcement.
To avoid becoming a victim of Wild Neutron, end users can protect themselves with tools and processes. To that end, Janus has a few simple good hygiene best practices:
- Regularly scan your PC with an advanced anti-malware solution.
- Update all third-party applications, especially Adobe Flash Player.
- Do not visit forums that are known to be hacked.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.