Elderwood
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1203 | 客户端执行漏洞利用 |
Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[2] |
|
| Enterprise | T1189 | 浏览器攻击 |
Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.[2][3][1] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
Elderwood has packed malware payloads before delivery to victims.[2] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Elderwood has encrypted documents and malicious executables.[2] |
||
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[2][3] |
| .002 | 用户执行: Malicious File |
Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.[2][3] |
||
| Enterprise | T1105 | 输入工具传输 |
The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[4] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.[2][3] |
| .002 | 钓鱼: Spearphishing Link |
Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[2][3] |
||