Security experts have discovered and analyzed the activities of a financially motivated APT group, dubbed Morpho and Wild Neutron, that has targeted a large number of high profile companies worldwide.
According to the analysis published by Kaspersky Lab, the Morpho APT group is specialized in corporate espionage and has been active since at least 2011.
The researchers speculate that the group is responsible for the attacks in 2013 on the IT giants Apple, Facebook, Microsoft, and Twitter.
“The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons,” said Kaspersky
The Morpho team exploited a Flash Player zero-day in its attacks and digitally signed its malicious code by using stolen Acer Incorporated digital certificates.
The hackers were able to remain undetected within the targeted infrastructure for nearly a year.
The criminal crew also targeted Bitcoin companies, law firms, real estate and investment companies, individual users, and numerous firm in the IT and healthcare industries.
Kaspersky reported that the Morpho group infected organizations with its Wild Neutron backdoor in 11 countries, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.
“A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho“) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.”
According to Symantec the Morpho group infected systems in a larger number of countries, they have discovered a total of 49 victims spread across 20 countries since March 2012.
“Morpho is a group of highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain.” states the report published by Symantec.
The attackers were mainly focused on the theft of intellectual property of high-profile victims, Symantec believes that Morpho is financially motivated.
There information collected by the experts at Symantec revealed that this group may be made up of native English speakers, which are familiar with Western culture, and it is likely they operate from an Eastern Standard Time (EST) time zone.
Researchers at Kaspersky confirmed to have discovered a Romanian language string in some of the malware samples they have analyzed, and also a string that is the Latin transcription of a Russian word.
The Morpho group used several hacking tools including custom-malware, the experts noticed a predilection for the backdoor Trojans Pintsized (the variant for OS X) and Jripbot (the variant for Windows).
(Security Affairs – Morpho, hackers)