Wild Neutron hacker group back in action with Flash Player exploit

A hacker group by the name of Wild Neutron, which made a number of attacks on major tech companies including Apple, Microsoft and Facebook back in 2013, is now back in action according to Kaspersky.

The security firm notes that Wild Neutron disappeared from the scene for the best part of a year, but resumed attacks in 2014, continuing into this year.

Kaspersky researchers found that Wild Neutron has hit targets across 11 countries (including France, Germany, Russia and the US) which include law firms, IT outfits, real estate companies and finance related firms (including investment companies and those dealing in Bitcoins).

The group uses an unknown Flash Player exploit, using a compromised website to deliver a malware dropper package (which is signed with a legitimate code verification certificate from a popular maker of consumer electronics) onto the victim's machine.

Once the dropper is on the system, it installs the main backdoor – there's nothing particularly sophisticated about this, but the attackers have been very careful in terms of hiding the command and control server address, with "special measures" built into the malware to defend the infrastructure from C&C takedowns.

While this isn't a nation-state backed group, according to the security firm, the sophisticated defences, use of zero-day exploits and multi-platform malware leads Kaspersky to conclude that this is a "powerful entity engaged in espionage, possibly for economic reasons."

Costin Raiu, Director Global Research and Analysis Team at Kaspersky Lab, commented: “Wild Neutron is a skilled and quite versatile group. Active since 2011, it has been using at least one zero-day exploit, custom malware and tools for Windows and OS X. Even though in the past it has attacked some of the most prominent companies in the world, it has managed to keep a relatively low profile via solid operational security which has so far eluded most attribution efforts.

“The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the ‘Ansar Al-Mujahideen English Forum’) and Bitcoin companies indicate a flexible yet unusual mindset and interests.”