Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150821-264-TW Wild Neutron
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 21 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report details tools and techniques used by the threat actor known as
“Wild Neutron.” This actor has been active since 2001 with its latest attacks occurring in 2015
using a stolen code signing certificate belong to the company Acer as well as using an unknown
Flash Player Exploit.
(S//NF) In the past the actor has used scripts injected into forums to redirect visitors to another
website. He has also used a Mac OS X backdoor known as OSX/Pintsized that has been
recompiled for Win32 and is still being used.
(S//NF) Wild Neutron encrypts all C&C communication using a custom protocol. The actor is
also known to use multiple evasion techniques designed to detect or timeout sandboxes and
emulation engines. No further details on these techniques were given in the provided report.
(S//NF) In the actor’s most recent attacks the infection is vector is still unknown besides that it is
an unknown Flash Player Exploit. The main dropper to this infection is simple as it simply
decrypts the backdoor executable that has been stored as a resource and encrypted with a simple
XOR. After executing, the main backdoor is securely deleted. The C&C URL is interestingly
doubly encrypted and stored in the registry. The backdoor is typical yet fully functional to
include deleting autorun values, shredding files, downloading Internet files, installing malware
plugins, and updating itself. This backdoor also has the ability to recover from a C&C shutdown
using a dynamically generated domain name tied to each victim.
(S//NF) In conclusion, the report given focused on the actor Wild Neutron, his past techniques,
and his latest know attack vector. No new techniques worthy of a PoC were presented.
2.0 (U) Description of the Technique
(S//NF) No techniques are recommended for PoC development.
3.0 (U) Identification of Affected Applications
(U) Windows
4.0 (U) Related Techniques
(S//NF) RAT, Adobe Flash
5.0 (U) Configurable Parameters
(U) None