Back in 2012, Symantec researched the Elderwood platform, which was used in spear-phishing and watering-hole attacks against a wide variety of industries. The Elderwood platform essentially consists of a set of exploits that have been engineered and packaged in a “consumer-friendly” way. This allows non-technical attackers to easily use zero-day exploits against their targets.
We observed attackers using the Elderwood platform against a large number of sectors, including defense, defense supply chain manufacturing, IT, and human rights. Most notably, attackers used this set of exploits in a high-profile campaign known as Operation Aurora.
The Elderwood platform may have first been documented in 2012, but it has continuously been updated with some of the latest zero-day exploits. Within just one month at the start of 2014, the Elderwood platform was used to exploit three zero-day vulnerabilities, proving that this exploit set is still a formidable threat.
Initially, our research suggested that the Elderwood platform was being used by a single attack group. Our latest research leads us to believe that several groups could be using this platform. The evidence suggests that either one distributor is responsible for selling the platform or one major organization developed the exploit set for its in-house attack teams. Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits.
Who could have created Elderwood?
There are several theories which may describe the makeup of the attackers utilizing the Elderwood platform’s zero-day exploits. Our research suggests that there are two more probable scenarios.
- There is a single parent organization broken into a number of subgroups. Each subgroup is tasked with targeting a particular industry. They each use individually developed malware families and operate their own network infrastructure. The parent organization obtains the zero-day exploits and coordinates the distribution and utilization of these exploits amongst the subgroups.
Figure 1. Zero-day exploits distributed throughout an organization consisting of multiple teams
- The attack groups are separate entities with their own agendas. These groups all have contact with a single zero-day exploit supplier which delivers the exploits to the groups at the same time. The supplier may give certain groups preferential treatment, offering zero-day exploits to some attack groups a few days before others.
Figure 2. Zero-day exploits distributed to different groups but by a common supplier
Based on our evidence, which we will discuss in this blog, it seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups. This alone is a sign of the level of resources available to these attackers.
If the exploits are being purchased from a third party distributor, the purchasing organization must have substantial financial resources to pay for the exploits. If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so. These employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.
Elderwood’s notable exploits
In 2012, several Internet Explorer and Adobe Flash exploits were part of the Elderwood platform, which took advantage of a number of vulnerabilities, including the following bugs.
- Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
- Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
Recently, we have seen the platform use new zero-day exploits against the following vulnerabilities, many of which are similar to the previously used exploits.
- Adobe Flash Player and AIR Remote Code Execution Vulnerability (CVE-2014-0502)
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324)
These exploits are not the only ones used in the platform, but as we will discuss, they show a connection between Elderwood campaigns. Let’s take a look at some of the major attack groups who have used the Elderwood platform over the past few years.
Who has been using the Elderwood platform?
The following is a timeline of the most recent high-profile use of the Elderwood platform.
Figure 3. Timeline of known activities of recent zero-day exploits
While many of the following attack groups do not use the Elderwood platform exclusively, they have been observed using it throughout many of their major campaigns over a number of years. Along with taking advantage of vulnerabilities that are known to be covered in the Elderwood platform, the attackers also exploited other flaws, such as the Microsoft Internet Explorer ‘CDwnBindInfo’ Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792) and the Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776).
|Attack group||Targets||Associated operation names||Exploited vulnerabilities||Malware used|
|Hidden Lynx||Defense industry||Operation Snowman||CVE-2014-0322 (Internet Explorer)||Backdoor.ZXshell|
CVE-2014-0322 (Internet Explorer)
CVE-2014-0502 (Adobe Flash)
CVE-2012-0779 (Adobe Flash)
CVE-2014-0324 (Internet Explorer)
|Sakurel||Aerospace engine manufacturers||
CVE-2014-0322 (Internet Explorer)
CVE-2012-4792 (Internet Explorer)
CVE-2014-0502 (Adobe Flash)
CVE-2014-1776 (Internet Explorer)
Table 1. The attack groups using the Elderwood platform
The Elderwood connection
Along with the attack groups’ use of these exploits through their campaigns, the exploits’ infrastructure also appear to be linked.
The two recent Internet Explorer zero-day exploits for CVE-2014-0322 and CVE-2014-0324 share a number of features, including common shellcode. They both can also decrypt malware retrieved from images and write the decrypted malware to a file with a “.txt” extension in the %Temp% folder.
Along with this, exploits for both CVE-2014-0502 and CVE-2014-0322 were hosted on the same site. Finally, there are indications that suggest that a CVE-2014-0324 exploit was used to drop Backdoor.Linfo. The same malware was dropped in 2012 with the CVE-2012-0779 exploit.
The following image gives an overall look at how these attack groups’ use of the Elderwood platform are connected.
Figure 4. Some of the connections between recent and previous zero-day exploits
It’s difficult to definitively link the use of zero-day exploits back to one central group or organization. Once a zero-day exploit has been deployed in an attack, it can be reverse-engineered, copied and re-purposed for other attackers to use. The Elderwood platform is particularly easy to reverse-engineer, as its exploits are neatly packaged and separated from the payload. Elderwood’s exploit implementations may have been purposely created in this manner to make it easier for its customers to use.
However, in these observed attack campaigns, there is a repeating pattern of attack groups using Internet Explorer and Flash zero-day exploits to deliver the same malware families. Not only that, but these exploits share many similarities in their implementation. This evidence indicates that there is a greater level of communication between attack groups than if the exploits were simply being reverse-engineered.
Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, the various groups using ‘Elderwood’ zero-day exploits are well resourced and motivated. They present a serious threat to potential targets.
Symantec protects customers from the various malware families listed in this blog through our antivirus, IPS, behavioral and reputation technologies.