SYMBOLCOMMON_NAMEaka. SYNONYMS

WildNeutron  (Back to overview)

aka: Butterfly, Morpho, Sphinx Moth

A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks. Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target. This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.


Associated Families
win.jripbot

References
2016-09-07Virus BulletinBrian Bartholomew, Juan Andrés Guerrero-Saade
@techreport{bartholomew:20160907:wave:96e9f50, author = {Brian Bartholomew and Juan Andrés Guerrero-Saade}, title = {{Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks}}, date = {2016-09-07}, institution = {Virus Bulletin}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf}, language = {English}, urldate = {2020-03-13} } Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
DuQu JripBot Sinowal Stuxnet Wipbot
2015-11-05Kudelski Securitykscert
@online{kscert:20151105:sphinx:0414ca2, author = {kscert}, title = {{Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT}}, date = {2015-11-05}, organization = {Kudelski Security}, url = {https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/}, language = {English}, urldate = {2020-01-10} } Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT
WildNeutron
2015-07-08Kaspersky LabsGReAT
@online{great:20150708:wild:4e853a7, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/}, language = {English}, urldate = {2019-12-20} } Wild Neutron – Economic espionage threat actor returns with new tricks
JripBot
2015-07-08Kaspersky LabsGReAT
@online{great:20150708:wild:ee7c858, author = {GReAT}, title = {{Wild Neutron – Economic espionage threat actor returns with new tricks}}, date = {2015-07-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/}, language = {English}, urldate = {2019-12-20} } Wild Neutron – Economic espionage threat actor returns with new tricks
WildNeutron
2015-07-08SymantecSymantec Security Response
@online{response:20150708:butterfly:6bf6652, author = {Symantec Security Response}, title = {{Butterfly: Profiting from high-level corporate attacks}}, date = {2015-07-08}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks}, language = {English}, urldate = {2020-01-08} } Butterfly: Profiting from high-level corporate attacks
WildNeutron
2013-02-22MicrosoftMicrosoft Security Response Center
@online{center:20130222:recent:b3d3f80, author = {Microsoft Security Response Center}, title = {{Recent Cyberattacks}}, date = {2013-02-22}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/}, language = {English}, urldate = {2019-12-20} } Recent Cyberattacks
WildNeutron
2013-02-19ReutersJim Finkle, Joseph Menn
@online{finkle:20130219:exclusive:fc04bd6, author = {Jim Finkle and Joseph Menn}, title = {{Exclusive: Apple, Macs hit by hackers who targeted Facebook}}, date = {2013-02-19}, organization = {Reuters}, url = {https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219}, language = {English}, urldate = {2020-01-09} } Exclusive: Apple, Macs hit by hackers who targeted Facebook
WildNeutron
2013-02-15FacebookFacebook
@online{facebook:20130215:protecting:491c151, author = {Facebook}, title = {{Protecting People On Facebook}}, date = {2013-02-15}, organization = {Facebook}, url = {https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766}, language = {English}, urldate = {2020-01-13} } Protecting People On Facebook
WildNeutron
2013-02-01TwitterBob Lord
@online{lord:20130201:keeping:b006baa, author = {Bob Lord}, title = {{Keeping our users secure}}, date = {2013-02-01}, organization = {Twitter}, url = {https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html}, language = {English}, urldate = {2020-01-07} } Keeping our users secure
WildNeutron

Credits: MISP Project