Wild Neutron Targeted Attacks

VIRUS DEFINITION

Virus Type: Spyware, Advanced Persistent Threat

What is Wild Neutron?

Wild Neutron (also known as “Jripbot” and “Morpho”) is a powerful threat actor with a wide range of interests — from big IT enterprises and spyware developers to [online?] terrorist forums and bitcoin-related companies. Kaspersky Lab’s experts believe that it is a significant entity engaged in espionage, possibly for economic reasons. Wild Neutron uses a number of methods, including hacked forums as watering holes, zero-day exploits for propagation and stolen legitimate certificates to sign malware. It appears that it has been active since 2011.

Who are the victims of its attacks?

Kaspersky Lab has been able to identify several victims, in the following countries:

France
Russia
Switzerland
Germany
Austria
Palestine
Slovenia
Kazakhstan
UAE
Algeria
United States

Targets of Wild Neutron attacks include:

Law firms
Bitcoin-related companies
Investment companies
A group of large companies often involved in M&A deals
IT companies
Healthcare companies
Real estate companies
Individual users

Am I at risk?

You might be a target for Wild Neutron if the following risk factors are familiar to you:

Risk factors:

If you work for/with an industry targeted by the attackers
Regularly visit online forums
Tend to browse web pages via links in advertisements
Use an unpatched Adobe Flash Player

How do I know if I’m infected?

Indicators of compromise for Wild Neutron are available at Securelist.com

Kaspersky Lab products detect the malware used by the Wild Neutron attacker as: Trojan.Win32.WildNeutron.gen, Trojan.Win32.WildNeutron.*, Trojan.Win32.JripBot.*