Wild Neutron in the Wild: Perhaps You’re His Next Prey

Attacking a broad spread of companies allows the group to access potentially valuable ‘bonus’ data from unexpected sources.

Unimportance is not Bliss

Media portrayals of sophisticated, highly expensive and probably state-sponsored cyberespionage evokes images of Bond-style characters covertly raiding the digital equivalents of Fort Knox in search of heavily guarded secrets or to spy on top officials. But good news for a media outlet is bad news for business managers, convincing them that the relative insignificance of their company means they’re of little interest to attackers.

Unfortunately, this was never the case in the past – and that’s unlikely to change in the near future. Do you deal with significant volumes of financial or personal data? The bad guys are interested. Or maybe there are some competitors willing to break the rules and hire some cybermercenaries to spy on you. If that still sounds improbable, a new series of attacks by Wild Neutron1 should make you sit up and take notice:

Consider this range of known targets:

  • Law firms
  • Bitcoin-related companies
  • Investment companies
  • Large company groups often involved in M&A deals
  • IT companies
  • Healthcare companies

What do all these entities have in common? Mostly two things: They were vulnerable and had data the attackers considered valuable for some unknown reason. It could be something as simple as data that’s easily converted into hard currency – or soft currency in Bitcoin’s case. The Wild Neutron group behind this attack is unlikely to be connected with any government agencies, but that doesn’t make them less skillful or dangerous. Their first known series of strikes in 2013 proved their capabilities, successfully compromising Apple, Microsoft, Facebook, and Twitter. They returned in 2014, using the same highly refined, professional techniques against their new targets – but still not state-of-the-art; some of their modules seem to be heavily based on open source tools (such as Mimikatz or Pass-the-Hash) or well-known commercial malware (Hesperbot).

Hijack many, benefit from a few


Wild Neutron seems to be rather unscrupulous in its initial penetration methods. Their favorite way to infect victims is by compromising a web resource, such as a forum frequented by their chosen targets. This is loaded with exploits or redirecting scripts leading to another exploit-charged web resource. Because of this scattergun approach, it seems that many infected users were not specific targets of the group, but merely collateral damage. On the other hand, attacking a broad spread of companies allows the group to access potentially valuable ‘bonus’ data from unexpected sources. Either way, one thing is clear: Your company doesn’t have to be a target to become a victim. Just pray that the data you lose is of no use to the attackers.

Back in 2013, they were mostly using Java exploits, but currently they seem to prefer Adobe Flash. While the exact Flash vulnerability being exploited is still unclear, there is evidence that at least some victims had outdated versions of Adobe Flash on their machines, which is a grave mistake. After the initial penetration, they install a backdoor and create a fingerprint using the machine hardware, which is then used for both victim identification and to help encrypt sensitive information about C&C server URLs and configuration. This makes Wild Neutron even harder to track; they may seem like lazy trappers in contrast with some highly focused predators, but make no mistake, they are extremely professional and take every step to cover their tracks.

It’s Time to Mitigate the Risks Right Now


Current Kaspersky Lab products offer plenty of features to significantly reduce the risk of being attacked.

Properly addressing the issue of software vulnerabilities is a mission critical step in countering any attack; Wild Neutron’s exploitation of such weaknesses makes Kaspersky Lab’s Vulnerability Assessment and Patch Management2 the tools of choice to defend against this attack. They enable streamlining and automation of the tasks connected with vulnerability management, helping to close the security gaps found in popular software as soon as they are reported.

The toolset used by the Wild Neutron attackers includes both malware and legitimate software components which are integral for the toolset doing its job – but obviously have nothing to do with regular work activities of corporate staff. The ability to control the applications launched on company endpoints can really make a difference here; programs that are not supposed to be there won’t be allowed to start. Our Application Control feature3 can ensure that only legitimate, trusted software can run within corporate endpoints. In addition, Default Deny mode is worth considering for workstations running easily formalized processes: administrators simply choose the exact list of apps allowed to start and ban everything else.

Of course the whole range of Kaspersky Lab’s leading-edge anti-malware techniques are there to further reduce the risk of infection.

In particular, Web Anti-Virus armed with heuristic Anti-Phishing analyzes the structure of the loaded web pages and blocks attempts at unlawful redirects leading to some suspicious external sites.

The Automatic Exploit Prevention (AEP) system is capable of stopping exploits in their tracks.

Currently, the components the attackers are using are detected under the following verdicts:


Still, the fact that a targeted attack is usually more than just a pack of malware should always be kept in mind. Attackers are constantly testing their toolsets against the majority of known security solutions to find out how they could be sidestepped. Against a process, which is a targeted attack, a security-aware company would need not only endpoint-based or perimeter-guarding mechanisms, but a multi-faceted strategy. To fulfill such a strategy, Kaspersky Lab also offers a comprehensive set of Intelligence Services4 that can help to understand the nature of the attack and strengthen the company’s security posture.

1 You can read more about Wild Neutron here

2 Offered both in a standalone Systems Management solution and as a part of Kaspersky Endpoint Security Advanced and Kaspersky Total Security for Business

3 Is a part of Kaspersky Endpoint Security Select, Advanced and Kaspersky Security for Business

4 Kaspersky Intelligence Services offer a range of expert training, services and data feeds to empower your security strategy.