Sophisticated, successful Morpho APT group is after corporate data

Two reports published on Wednesday by Symantec and Kaspersky Lab detail the recent attacks executed by an unusual APT group they have dubbed Morpho and Wild Neutron.

The group was first spotted in 2013, when they successfully compromised Twitter, Apple , Facebook and Microsoft by using the watering hole technique and a Java zero-day exploit to deliver an OS X backdoor to the companies’ developers.

Since then, the group has hit 49 large corporations in over 20 countries.

“Aside from the four companies who have publicly acknowledged attacks, Symantec has identified five other large technology firms compromised by Morpho, primarily headquartered in the US. However, technology is not the only sector the group has focused on and Symantec has found evidence that Morpho has attacked three major European pharmaceutical firms,” the researchers explained.

“In the first attack, the attackers gained a foothold by first attacking a small European office belonging to one firm and using this infection to then move on to its US office and European headquarters. This template appeared to be followed in the two subsequent attacks on big pharma firms, with Morpho compromising computers in a number of regional offices before being discovered.”

The group has lately shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014, as well as a law firm that specializes in finance and natural resources specific to Central Asia.

Morpho is a cyber espionage group that is after confidential company information that can be monetized. They are not thought to be state-sponsored (even though they used zero-day exploits), but are either using the stolen information themselves, or are selling it to interested third parties. It’s also possible that they have been hired to perform these hacks by individuals or organizations interested in targeting those particular companies.

According to Symantec, the group has been operational since at least March 2012. Kaspersky Lab researchers say late 2011.

The group definitely knows what they are doing: they perform thorough reconnaissance before hitting their targets. They compromise companies’ email servers to intercept company emails, they attack enterprise content management systems in search for information, and have occasionally even managed to compromise the companies’ Physical Security Information Management (PSIM) systems.

They write their own malware tools: the aforementioned OS X backdoor (Pintsized) and its Windows version (Jiripbot), and their own hacking tools: event log parsing and editing tools, proxy tools, exfiltration tools, and so on.

According to Kaspersky Lab researchers, who have shared many technical details about the malware used by the group, Morpho is basing them on open source tools and leaked sources of other malware.

The use of zero-day exploits and stolen valid digital certificates indicates that the group is powerful, sophisticated and, above all, very careful. They never reuse email addresses when they register a C&C domain, and hosting providers are always paid with Bitcoins. They carefully scrub their digital tracks after they are done with a target.

Symantec researchers say that at least some of the gang – if not all – are English speakers, as their malware is documented in fluent English. They have apparently also been using expressions from English-speaking pop culture.