Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Blogs
    • Security Watch

    How the Wild Neutron Hacker Group Avoids Detection

    By
    Sean Michael Kerner
    -
    July 10, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Wild Neutron

      The hacker group known as Wild Neutron is still actively attacking companies around the world, a number of years after the group was first discovered in 2011. Both Kaspersky Lab and Symantec have reported renewed activity from Wild Neutron (Symantec now refers to the group as “Butterfly”) this year.

      Wild Neutron/Butterfly has been implicated by Kaspersky Lab and Symantec as being involved in zero-day attacks against Apple, Facebook, Twitter and Microsoft back in 2013.

      “Butterfly is a disciplined, technically capable group with a high level of operational security,” Symantec wrote in a blog post. “Having managed to increase its level of activity over the past three years while maintaining a low profile, the group poses a threat that ought to be taken seriously by corporations.”

      According to Kaspersky Lab, the new attacks from Wild Neutron/Butterfly in 2015 involve the use of a code signing certificate that was allegedly stolen from electronics vendor Acer, as well as a new Flash Player exploit.

      Adobe issued an update for Flash Player on July 8, patching 36 vulnerabilities, but it’s not clear at this point if the Flash vulnerability used by Wild Neutron is one that was patched.

      “We didn’t have a chance to look at the exploit; we’ve only seen indirect artifacts,” Marta Janus, security researcher for the Global Research and Analysis Team at Kaspersky Lab, told eWEEK. “That’s why it is not possible, at the moment, to find out how exactly the exploit was used.”

      Given that the hacker group has been active for several years, it’s interesting to note that the hackers have yet to be caught by law enforcement. Janus noted that the attackers have been extremely careful in covering their tracks. She added that the Wild Neutron attackers target just a small number of precisely selected victims, look for the information that might be useful for them, and once they get it, they back away quickly, removing all the malware components and signs of malicious activity from the system.

      To avoid initial detection, the hacker group’s malware dropper uses a stolen certificate.

      “Malicious files are deleted with the use of a ‘shred’ utility, which overwrites a file with random content several times before renaming it and finally removing it from the file system,” Janus said. “This approach prevents the files from being restored in the event of forensic analysis.”

      The command and control (C&C) Web addresses for Wild Neutron are also very well-protected, she added. The C&C locations are double encrypted in a way that allows decryption only on the same machine the malware was run on, with the same user logged in.

      It’s clear to me that Wild Neutron is investing heavily in avoiding detection and intends to stay alive for as long as it can. I suspect that Wild Neutron’s efforts at avoiding detection aren’t entirely unique either, as attackers overall are becoming increasingly sophisticated to avoid detection by security vendors and law enforcement.

      To avoid becoming a victim of Wild Neutron, end users can protect themselves with tools and processes. To that end, Janus has a few simple good hygiene best practices:

      • Regularly scan your PC with an advanced anti-malware solution.
      • Update all third-party applications, especially Adobe Flash Player.
      • Do not visit forums that are known to be hacked.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×