Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

ID: G0066
Associated Groups: Elderwood Gang, Beijing Group, Sneaky Panda
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.0

Associated Group Descriptions

Name Description
Elderwood Gang [2] [3]
Beijing Group [3]
Sneaky Panda [3]

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[2][3][1]

Enterprise T1203 Exploitation for Client Execution

Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[2]

Enterprise T1027 Obfuscated Files or Information

Elderwood has encrypted documents and malicious executables.[2]

Enterprise T1105 Remote File Copy

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[4]

Enterprise T1045 Software Packing

Elderwood has packed malware payloads before delivery to victims.[2]

Enterprise T1193 Spearphishing Attachment

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[2][3]

Enterprise T1192 Spearphishing Link

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[2][3]

Enterprise T1195 Supply Chain Compromise

Elderwood has targeted manufacturers in the supply chain for the defense industry.[2]

Enterprise T1204 User Execution

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links and attachments.[2][3]

Software

ID Name References Techniques
S0204 Briba [2] Commonly Used Port, New Service, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32
S0203 Hydraq [2] Access Token Manipulation, Custom Cryptographic Protocol, Data from Local System, Execution through Module Load, Exfiltration Over Alternative Protocol, File and Directory Discovery, File Deletion, Indicator Removal on Host, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Query Registry, Remote File Copy, Screen Capture, Service Execution, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0211 Linfo [2] Command-Line Interface, Data from Local System, Fallback Channels, File and Directory Discovery, File Deletion, Process Discovery, Remote File Copy, Scheduled Transfer, System Information Discovery
S0205 Naid [2] Commonly Used Port, Custom Command and Control Protocol, Modify Registry, New Service, System Information Discovery, System Network Configuration Discovery
S0210 Nerex [2] Code Signing, Modify Registry, New Service, Remote File Copy
S0208 Pasam [2] Commonly Used Port, Data from Local System, File and Directory Discovery, File Deletion, LSASS Driver, Process Discovery, Remote File Copy, System Information Discovery
S0012 PoisonIvy [2] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0207 Vasport [2] Connection Proxy, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0206 Wiarp [2] Command-Line Interface, Commonly Used Port, New Service, Process Injection, Remote File Copy

References