Wild Neutron, the notorious hacker group responsible for hacking websites of high profile companies including Apple, Facebook, Twitter and Microsoft, is back in business. The hacker group went underground for an year after their activities was widely publicised.
Unlike other hacking groups, Wild Neutron is also known by several pet names including Jripbot and Morpho. It uses a stolen valid code verification certificate and an unknown Flash Player exploit to infect companies and private users around the world and steal sensitive business information.
Kaspersky Lab researchers were able to identify targets of Wild Neutron in 11 countries including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, Algeria, the UAE and the United States. Besides individual users, the targets also include companies dealing with investment, real estate, law, bit coins, IT, health care and those involved in M&A deals.
Kaspersky asserted the nature of the attacks hints they don't have any geo-political agenda behind the espionage. However, the use of zero-day attacks, multi-platform malware as well as other techniques makes the researchers believe it's a powerful entity engaged in espionage, possibly for economic reasons.
The initial infection vector of the recent attacks is still unknown, although there are clear indications that victims are exploited by a kit that leverages an unknown Flash Player exploit through compromised websites. The exploit delivers a malware dropper package to the victim.
The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string "La revedere" ("Good bye" in Romanian) to mark the end of the C&C communication. In addition to that, Kaspersky Lab researchers have found another non-English string which is the Latin transcription of the Russian word "Успешно" ("uspeshno" -> "successfully").