Both Kaspersky and Symantec released reports this week pointing out the increase in attacks by Wild Neutron (aka Jripbot, Morpho, or Butterfly). WN had gone mostly dormant (or undetected?) since 2013 after hitting Apple, Facebook, Twitter, and Microsoft using zero-day Java exploits (seeded in the hacked forums of various websites) and the OSX/Pintsized Mac OS X or Windows Jiripbot backdoor.
Both Kaspersky and Symantec note that the newest exploits are using an unknown vector but are believed to leverage a Flash Player exploit. It should be noted that both released their reports on July 8, a day after we learned of the zero-day Flash Player exploit in Hacking Teams spyware, an exploit described as “the most beautiful Flash bug for the last four years”.
Some of group’s distinctive features include:
- Use of open source tools and leaked sources of other malware
- Use of stolen certificate from Acer Incorporated to sign malware
- Use of cross platform zero-day exploit (Java and Flash) followed by cross platform payload reverse shell (Perl) for initial penetration
- Use of *NIX code ported to Windows through Cygwin
- Heavy use of SSH for exfiltration, a commonly used *NIX administration tool
- Use of CryptProtectData API to keep C&C URLs secret
- Simple command line interface, built around all malware components, utilizing named pipes for communication between modules;
- Auxiliary tools are written in C and most of them contain a built-in help, which may be printed by executing the binary with a “–pleh” parameter
The group is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target. This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.
The group uses a suite of custom developed or modified open source applications.
Hacktool.Securetunnel: modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.
Hacktool.Bannerjack: used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.
Hacktool.Multipurpose: allows movement across a compromised networking by editing event logs to hide activity, dumping passwords, securely deleting files, encrypting files, and carrying out basic network enumeration.
Hacktool.Eventlog: used to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete.
Hacktool.Proxy: used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.
2013 forums used for Java zero-day attacks
expatforum.com
mygsmindia.com
forum.samdroid.net
emiratesmac.com
forums.kyngdvb.com
community.flexispy.com
ansar1.info
min.liveanalytics.org
fedoraforum.org
2015 exploitation chain seen at http://cryptomag.mediasource.ch/ (66.55.133.89)
/favicon.ico
/msie9html5.jpg
/loader-large.gif
/bootstrap.min.css
/stats.js?d=1434374526478
/autoload.js?styleid=20&langid=5&sid=883f2efa&d=1434374526
/banner.html?styleid=19&langid=23&sid=883f2efa&d=1434374526
/883f2efa/bniqligx.swf?styleid=4&langid=6&sid=883f2efa&d=1434374533
/883f2efa/pzixfgne?styleid=5&langid=25&sid=883f2efa&d=1434374533
/883f2efa/bniqligx.swf?styleid=4&langid=6&sid=883f2efa&d=1434374533/
/background.jpg
Known malicious hostnames and domains:
ddosprotected.eu
updatesoft.eu
app.cloudprotect.eu
fw.ddosprotected.eu
logs.cloudprotect.eu
ssl.cloudprotect.eu
ssl.updatesoft.eu
adb.strangled.net
digitalinsight-ltd.com
ads.digitalinsight-ltd.com
cache.cloudbox-storage.com
cloudbox-storage.com
clust12-akmai.net
corp-aapl.com
fb.clust12-akmai.net
fbcbn.net
img.digitalinsight-ltd.com
jdk-update.com
liveanalytics.org
min.liveanalytics.org
pop.digitalinsight-ltd.com
ww1.jdk-update.com
find.a-job.today
cryptomag.mediasource.ch
Known malicious IPs:
185.10.58.181
46.183.217.132
64.187.225.231
62.113.238.104
66.55.133.89
217.23.6.13
Known file names:
%APPDATA%\Roaming\FlashUtil.exe
%APPDATA%\Roaming\Acer\LiveUpdater.exe
%APPDATA%\Roaming\Realtek\RtlUpd.exe
%ProgramData%\Realtek\RtlUpd.exe
%APPDATA%\Roaming\sqlite3.dll (UPX packed)
%WINDIR%\winsession.dll
%APPDATA%\appdata\local\temp\teamviewer\version9\update.exe
%SYSTEMROOT%\temp\_dbg.tmp
%SYSTEMROOT%\temp\ok.tmp
C:\windows\temp\debug.txt
C:\windows\syswow64\mshtaex.exe
%SYSROOT%\System32\mshtaex.exe
%SYSROOT%\System32\wdigestEx.dll
%SYSROOT%\System32\dpcore16t.dll
%SYSROOT%\System32\iastor32.exe
%SYSROOT%\System32\mspool.dll
%SYSROOT%\System32\msvcse.exe
%SYSROOT%\System32\mspool.exe
C:\Program Files (x86)\LNVSuite\LnrAuth.dll
C:\Program Files (x86)\LNVSuite\LnrAuthSvc.dll
C:\Program Files (x86)\LNVSuite\LnrUpdt.exe
C:\Program Files (x86)\LNVSuite\LnrUpdtP.exe
DF39527~.tmp
Named pipes:
\\.\pipe\winsession
\\.\pipe\lsassw
Events & mutexes:
Global\LnrRTPDispatchEvents
_Winlogon_TCP_Service