APT

Morpho, the financially motivated espionage target giant firms

Morpho is the name of a financially motivated espionage group that targets large enterprises, including Microsoft, Apple, Twitter, and Facebook.

Security experts have discovered and analyzed the activities of a financially motivated APT group, dubbed Morpho and Wild Neutron, that has targeted a large number of high profile companies worldwide.

According to the analysis published by Kaspersky Lab, the Morpho APT group is specialized in corporate espionage and has been active since at least 2011.

The researchers speculate that the group is responsible for the attacks in 2013 on the IT giants Apple, Facebook, Microsoft, and Twitter.

“The focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage, possibly for economic reasons,” said Kaspersky

The Morpho team exploited a Flash Player zero-day in its attacks and digitally signed its malicious code by using stolen Acer Incorporated digital certificates.

The hackers were able to remain undetected within the targeted infrastructure for nearly a year.

The criminal crew also targeted Bitcoin companies, law firms, real estate and investment companies, individual users, and numerous firm in the IT and healthcare industries.

Kaspersky reported that the Morpho group infected organizations with its Wild Neutron backdoor in 11 countries, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

“A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho“) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.”

According to Symantec the Morpho group infected systems in a larger number of countries, they have discovered a total of 49 victims spread across 20 countries since March 2012.

Morpho is a group of highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain.” states the report published by Symantec.

The attackers were mainly focused on the theft of intellectual property of high-profile victims, Symantec believes that Morpho is financially motivated.

There information collected by the experts at Symantec revealed that this group may be made up of native English speakers, which are familiar with Western culture, and it is likely they operate from an Eastern Standard Time (EST) time zone.

Researchers at Kaspersky confirmed to have discovered a Romanian language string in some of the malware samples they have analyzed, and also a string that is the Latin transcription of a Russian word.

The Morpho group used several hacking tools including custom-malware, the experts noticed a predilection for the backdoor Trojans Pintsized (the variant for OS X) and Jripbot (the variant for Windows).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Morpho, hackers)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

14 hours ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

21 hours ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

1 day ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

1 day ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

2 days ago

Multiple flaws in Fortinet FortiOS fixed

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution…

2 days ago

This website uses cookies.