Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. Elderwood

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora.[1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.[2][3]

ID: G0066
Associated Groups: Elderwood Gang, Beijing Group, Sneaky Panda
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.3
Created: 18 April 2018
Last Modified: 17 November 2024

Associated Group Descriptions

NameDescription
Elderwood Gang

[2][3]

Beijing Group

[3]

Sneaky Panda

[3]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1189Drive-by Compromise

Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[2][3][1]

EnterpriseT1203Exploitation for Client Execution

Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[2]

EnterpriseT1105Ingress Tool Transfer

The Ritsol backdoor trojan used byElderwood can download files onto a compromised host from a remote location.[4]

EnterpriseT1027.002Obfuscated Files or Information:Software Packing

Elderwood has packed malware payloads before delivery to victims.[2]

.013Obfuscated Files or Information:Encrypted/Encoded File

Elderwood has encrypted documents and malicious executables.[2]

EnterpriseT1566.001Phishing:Spearphishing Attachment

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[2][3]

.002Phishing:Spearphishing Link

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[2][3]

EnterpriseT1204.001User Execution:Malicious Link

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[2][3]

.002User Execution:Malicious File

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.[2][3]

Software

IDNameReferencesTechniques
S0204Briba[2]Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Create or Modify System Process:Windows Service,Ingress Tool Transfer,System Binary Proxy Execution:Rundll32
S0203Hydraq[2]Access Token Manipulation,Create or Modify System Process:Windows Service,Data from Local System,Encrypted Channel:Symmetric Cryptography,Exfiltration Over Alternative Protocol,File and Directory Discovery,Indicator Removal:File Deletion,Indicator Removal:Clear Windows Event Logs,Ingress Tool Transfer,Modify Registry,Obfuscated Files or Information,Process Discovery,Query Registry,Screen Capture,Shared Modules,System Information Discovery,System Network Configuration Discovery,System Service Discovery,System Services:Service Execution
S0211Linfo[2]Command and Scripting Interpreter:Windows Command Shell,Data from Local System,Fallback Channels,File and Directory Discovery,Indicator Removal:File Deletion,Ingress Tool Transfer,Process Discovery,Scheduled Transfer,System Information Discovery
S0205Naid[2]Create or Modify System Process:Windows Service,Modify Registry,System Information Discovery,System Network Configuration Discovery
S0210Nerex[2]Create or Modify System Process:Windows Service,Ingress Tool Transfer,Modify Registry,Subvert Trust Controls:Code Signing
S0208Pasam[2]Boot or Logon Autostart Execution:LSASS Driver,Data from Local System,File and Directory Discovery,Indicator Removal:File Deletion,Ingress Tool Transfer,Local Storage Discovery,Process Discovery,System Information Discovery
S0012PoisonIvy[2]Application Window Discovery,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Active Setup,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data from Local System,Data Staged:Local Data Staging,Encrypted Channel:Symmetric Cryptography,Execution Guardrails:Mutual Exclusion,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Obfuscated Files or Information,Process Injection:Dynamic-link Library Injection,Rootkit
S0207Vasport[2]Application Layer Protocol:Web Protocols,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Ingress Tool Transfer,Proxy
S0206Wiarp[2]Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Ingress Tool Transfer,Process Injection

References

×
[8]ページ先頭
©2009-2026 Movatter.jp