Posted on Leave a comment

Are Wild Neutron’s latest attacks related to the zero-day exploit(s) in Hacking Team’s drop?

image thumb91

Screenshot showing Romanian language used in code

Both Kaspersky and Symantec released reports this week pointing out the increase in attacks by Wild Neutron (aka Jripbot, Morpho, or Butterfly). WN had gone mostly dormant (or undetected?) since 2013 after hitting Apple, Facebook, Twitter, and Microsoft using zero-day Java exploits (seeded in the hacked forums of various websites) and the OSX/Pintsized Mac OS X or Windows Jiripbot backdoor.

Both Kaspersky and Symantec note that the newest exploits are using an unknown vector but are believed to leverage a Flash Player exploit. It should be noted that both released their reports on July 8, a day after we learned of the zero-day Flash Player exploit in Hacking Teams spyware, an exploit described as “the most beautiful Flash bug for the last four years”.

Some of group’s distinctive features include:

  • Use of open source tools and leaked sources of other malware
  • Use of stolen certificate from Acer Incorporated to sign malware
  • Use of cross platform zero-day exploit (Java and Flash) followed by cross platform payload reverse shell (Perl) for initial penetration
  • Use of *NIX code ported to Windows through Cygwin
  • Heavy use of SSH for exfiltration, a commonly used *NIX administration tool
  • Use of CryptProtectData API to keep C&C URLs secret
  • Simple command line interface, built around all malware components, utilizing named pipes for communication between modules;
  • Auxiliary tools are written in C and most of them contain a built-in help, which may be printed by executing the binary with a “–pleh” parameter

imageAccording to Symantec:

The group is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.  This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.

The group uses a suite of custom developed or modified open source applications.

Hacktool.Securetunnel: modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.

Hacktool.Bannerjack: used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.

Hacktool.Multipurpose: allows movement across a compromised networking by editing event logs to hide activity, dumping passwords, securely deleting files, encrypting files, and carrying out basic network enumeration.

Hacktool.Eventlog: used to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete.

Hacktool.Proxy: used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.

2013 forums used for Java zero-day attacks

expatforum.com

mygsmindia.com

forum.samdroid.net

emiratesmac.com

forums.kyngdvb.com

community.flexispy.com

ansar1.info

www.iphonedevsdk.com

min.liveanalytics.org

fedoraforum.org

2015 exploitation chain seen at http://cryptomag.mediasource.ch/ (66.55.133.89)

/favicon.ico

/msie9html5.jpg

/loader-large.gif

/bootstrap.min.css

/stats.js?d=1434374526478

/autoload.js?styleid=20&langid=5&sid=883f2efa&d=1434374526

/banner.html?styleid=19&langid=23&sid=883f2efa&d=1434374526

/883f2efa/bniqligx.swf?styleid=4&langid=6&sid=883f2efa&d=1434374533

/883f2efa/pzixfgne?styleid=5&langid=25&sid=883f2efa&d=1434374533

/883f2efa/bniqligx.swf?styleid=4&langid=6&sid=883f2efa&d=1434374533/

/background.jpg

Known malicious hostnames and domains:

ddosprotected.eu

updatesoft.eu

app.cloudprotect.eu

fw.ddosprotected.eu

logs.cloudprotect.eu

ssl.cloudprotect.eu

ssl.updatesoft.eu

adb.strangled.net

digitalinsight-ltd.com

ads.digitalinsight-ltd.com

cache.cloudbox-storage.com

cloudbox-storage.com

clust12-akmai.net

corp-aapl.com

fb.clust12-akmai.net

fbcbn.net

img.digitalinsight-ltd.com

jdk-update.com

liveanalytics.org

min.liveanalytics.org

pop.digitalinsight-ltd.com

ww1.jdk-update.com

find.a-job.today

cryptomag.mediasource.ch

Known malicious IPs:

185.10.58.181

46.183.217.132

64.187.225.231

62.113.238.104

66.55.133.89

217.23.6.13

Known file names:

%APPDATA%\Roaming\FlashUtil.exe

%APPDATA%\Roaming\Acer\LiveUpdater.exe

%APPDATA%\Roaming\Realtek\RtlUpd.exe

%ProgramData%\Realtek\RtlUpd.exe

%APPDATA%\Roaming\sqlite3.dll (UPX packed)

%WINDIR%\winsession.dll

%APPDATA%\appdata\local\temp\teamviewer\version9\update.exe

%SYSTEMROOT%\temp\_dbg.tmp

%SYSTEMROOT%\temp\ok.tmp

C:\windows\temp\debug.txt

C:\windows\syswow64\mshtaex.exe

%SYSROOT%\System32\mshtaex.exe

%SYSROOT%\System32\wdigestEx.dll

%SYSROOT%\System32\dpcore16t.dll

%SYSROOT%\System32\iastor32.exe

%SYSROOT%\System32\mspool.dll

%SYSROOT%\System32\msvcse.exe

%SYSROOT%\System32\mspool.exe

C:\Program Files (x86)\LNVSuite\LnrAuth.dll

C:\Program Files (x86)\LNVSuite\LnrAuthSvc.dll

C:\Program Files (x86)\LNVSuite\LnrUpdt.exe

C:\Program Files (x86)\LNVSuite\LnrUpdtP.exe

DF39527~.tmp

Named pipes:

\\.\pipe\winsession

\\.\pipe\lsassw

Events & mutexes:

Global\LnrRTPDispatchEvents

_Winlogon_TCP_Service

Leave a Reply

Your email address will not be published. Required fields are marked *