BUTTERFLY GROUP
The Butterfly group performs corporate espionage campaigns against organizations containing proprietary intellectual property. Stolen information is likely sold for fiscal gain. The Butterfly group is organized and efficient. It is likely that the group consists of only a few individuals (~3-10 members). According to Symantec, “[t]here are some indications that this group may be made up of native English speakers, are familiar with Western culture, and may operate from an Eastern Standard Time (EST) time zone.” The emergence of the Butterfly group should remind organizations that corporate espionage groups and non-state sponsored APTs still exist. In fact, in certain aspects, they are more dangerous than state sponsored groups. Mercenary and espionage groups may possess specific knowledge of what information to steal or from what systems to steal data. This information may come from competitors or it may come from insider threats within the organization. APTs, like the Butterfly group, are more likely to profit from exfiltrated data and stolen intellectual property than an enemy nation state might. Auction of stolen information to a third party will likely occur immediately after a breach because the group maximizes their potential by realizing profit and redirecting their resources to the next target. Few concurrent campaigns were observed. Once information is sold to a third party, attribution of the attack becomes more difficult. The realized impact of lost financial data or stolen intellectual property could cripple the organization.
The Butterfly group has targeted pharmaceutical companies, technology firms, law practices, oil and precious metal mining organizations, Twitter, Facebook, Apple, and Microsoft. Since their creation in 2012, the group has compromised at least 49 organizations. There was only one government victim and they may have been collateral damage of a different campaign. Butterfly does not appear interested in nation state intelligence. After the attacks against Twitter, Facebook, Apple, and Microsoft in February 2013 drew the attention of security researchers, the group went dormant. They reemerged in August 2013 and have been gradually increasing their number of attacks per year. Of the 49 companies targeted, 17 are based in the United States, 12 are based in Europe, and 4 are based in Canada. The remaining 16 victims are located in Brazil, China, Hong Kong, India, Israel, Japan, Kazakhstan, Malaysia, Morocco, Nigeria, Taiwan, Thailand, South Korea, and the United Arab Emirates.
In attacks against pharmaceutical companies, the attackers breached small regional offices and then slowly moved across the network to the main network. In late 2014, two natural resource organizations that specialize in gold and oil were compromised. In June 2015, a Central Asian global law firm was compromised and financial information and information about regional natural resources may have been targeted. This has led to speculation that the attackers may be focusing on information that is valuable in the commodities market. The behavior may also indicate direction from a third party client who is invested in the commodities market.
Attacks seem to be focused on specific systems that are of interest to the attackers, such as Microsoft Exchange or Lotus Domino email servers. The attackers may want to monitor emails or they may want to inject messages into the server. Content management servers, which index and store documents and digital assets, were also targeted. According to Symantec, these servers likely contained legal documents, internal policies, training documents, product descriptions, and financial records. The actor may gauge the value of a target based on training materials and presentations for related technologies under development at the organization. In at least one instance, the group hacked a Physical Security Information Management (PSIM) system which collects, processes, and stores data from physical security devices such as CCTV, magnetic card systems, HVAC, and building security systems. The actor could have been monitoring employees throughout their daily activities, or the system could have been compromised by mistake.
The Butterfly group exploits zero-day vulnerabilities from a water hole website. In February 2013 Twitter, Facebook, Apple, and Microsoft were attacked within a three-week period. The Butterfly group initiated their campaign with a Java zero-day exploit that was delivered from a popular iPhone mobile development website. For some of the attacks, F- Secure believes that the payload delivered after the breach may have been a Mac OS X backdoor, dubbed OSX Pintsized. Attacks against Windows systems likely featured the Jripbot backdoor. Symantec believes that the group may also exploit Internet Explorer 10 or an Internet Explorer plugin. At least one recent attack suggests that the group might also conduct SQL injection attacks.
After a network is compromised, the group carefully adapts to the environment and utilizes remote access tools and management systems to laterally move across the network. The adversaries have used native Citrix systems and the TeamViewer applications to move across some networks. The attackers are able to rapidly assess whether a system is valuable or whether they should move to a new system on the network. The Butterfly group uses a unique set of tools, which seem to have been developed by or developed for the attackers. Symantec could not find any open source data on the tools. The tools all contain use documentation. One tool, bj.dat, (called “Banner Jack.” ) is used to locate vulnerable network servers, printers, routers, HTTP servers, or TCP servers. Banner Jack retrieves default messages from Telnet, HTTP, and TCP servers. Banner Jack accepts an input IP range and port and then it connects each IP address to a port. Then it retrieves and logs any data printed by the server. The Proxy.A tool creates a proxy connection so that the actor can route traffic through a proxy node to a destination node. The Eventlog tool parses event logs, dumps interesting logs and deletes incriminating logs. The tool can also end processes and delete itself. The Multipurpose tool edits event logs, dumps passwords, securely deletes files, encrypts files, enumerates the network, and assists the attacker in moving across the network.
The Butterfly group exhibits intense operational security. Many of their tools self-delete, and others are securely deleted by a GNU Shred tool used by the attackers. Event logs are modified or deleted to hide the intrusion. Uninteresting computers are fully purged of all traces of the attacker’s presence. C&C domains are registered with disposable names and emails. Hosts of C&C servers are paid using the Bitcoin anonymous digital currency. Symantec observed that the group “uses encrypted virtual machines and multi-staged C&C servers” to make it more difficult to investigate their middle infrastructure. Symantec managed to track activity through proxies to a C&C server that was digitally sterilized. No activity was logged and the system featured Truecrypt and a Virtual Box virtual machine. Compromised systems were likely attacked from within the virtual machine; consequently, analysis is difficult when the image is not live.