The Elderwood Project (Infographic)

Symantec Security Response have published a research paper revealing details about a series of attacks perpetrated by a highly organized and well funded group using the “Elderwood” Attack Platform. This platform is a series of tools and infrastructure used by this group to perform attacks against targets in a speedy and efficient manner. The group behind this platform used it to carry out a multitude of attacks against targets primarily in the defense industry and other organizations within its supply chain. This group demonstrates a dogged persistence and tenacity, along with a high degree of technical expertise as shown by the seemingly unlimited supply of zero-day exploits that they have employed in the past. This research examines a time window of at least three years in which numerous attacks were conducted and still continues to take place to this day. The paper covers the attack methods used, the possible motives, the scale of the attacks and what to do to stay protected.

The following infographic sums up the facts and figures uncovered in the research. For full details about these attacks, please download the full paper from our Security Whitepaper Repository.


The Elderwood Project

In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We've been monitoring the attacking group's activities for the last three years as they've consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform". The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of "watering hole" attacks (compromising certain websites likely to be visited by the target organization).

We call the overall campaign by this group the "Elderwood Project".

Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011. The past few months however has seen four such zero-day vulnerabilities used by the Elderwood attackers. Although there are other attackers utilizing zero-day exploits (for example, the SykipotNitro, or even Stuxnet attacks), we have seen no other group use so many. The number of zero-day exploits used indicates access to a high level of technical capability. Here are just some of the most recent exploits that they have used:

Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)

In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code. The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent.

The primary targets identified are within the defense supply chain, a majority of which are not top-tier defense organizations themselves. These are companies who manufacture electronic or mechanical components that are sold to top-tier defense companies. The attackers do so expecting weaker security postures in these lower tier organizations and may use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company. Figure 1 below shows a snippet of the various industries that are part of the defense supply chain.

Figure 1. Target sectors

One of the vectors of infection we're seeing a substantial increase in, called a “watering hole” attack, is a clear shift in the attacking group's method of operations. The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer. Three zero-day exploits, CVE-2012-0779, CVE-2012- 1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans from compromised websites. The increase in the use of this attack technique requires the attackers to sift through a much greater amount of stolen information than a targeted attack relying on email, as the number of victims compromised by a Web injection attack will be much greater.

Figure 2. Web injection process used in watering hole attacks

Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have been compromised and used as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013. This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks.


Research Paper

We have published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks.


Hydraq: Past Year in Review

Trojan.Hydraq is a piece of malware that we first saw in early 2010. It was a threat that got a lot of media attention—especially since the targets it chose were very high profile organizations. It's been a couple of years since we mentioned it so we thought we'd provide an update on its activity since then.
Contrary to commonly held thought, Hydraq never went away. Month after month we've observed the attackers using the threat relentlessly on organizations across all sorts of different market sectors. The vector of infection isn't different from most other targeted attacks—well tailored email sent to specific recipients with a link to an exploit hosting website; exploitation leads to download and execution of the Trojan; the Trojan gathers system information and exfiltrates to a remote server; a remote server is contacted every so often to see if additional commands are available. On average we see a new wave of Hydraq attacks every six to eight weeks.

Hydraq uses a method of gathering system and network information initially, and then steals user names and passwords before collating all this information into a 'config' file on the compromised computer. This file is then exfiltrated to a pre-configured remote server. Each Hydraq binary is hardcoded with a command-and-control (C&C) server domain name or IP address to use for further instructions. It is likely these Trojans are being created using a RAT toolkit available to the group behind the attacks.

Unlike the first instance of Hydraq, the attacks that have followed have not made use of any unpatched flaws (also known as a zero-day vulnerability) in any application. The attackers either haven't been able to secure funding for more zero-day vulnerabilities, or just haven't been able to locate one.

Data collected over the past ten months or so shows the breadth of targets these attackers have pursued. Unlike the initial Hydraq targets, which were primarily US-based entities, organizations in at least 20 different countries have been targeted by Hydraq. The map below shows these different countries:

Most of these countries have seen Hydraq attacks as recently as last week.

The market segments being targeted here primarily include government, financial, education, and legal firms. The attacks appear to be coming from the same entity as each Trojan is usually seen in the wild by itself until activity around it dies down. The attackers start a new wave of attacks with new Trojan files only when activity around the previous binary has ceased.

The attackers made use of global infrastructure in order to host their C&C servers. In some cases they've registered domains for the purpose of the attacks, while in others they've relied on free domain registration services to come up with domain names. For hosting it appears they've always relied on hacked servers to serve their purpose. A sampling of the different domains and IP addresses seen hardcoded within the Hydraq binaries shows geographical locations as follows:

Hong Kong
United States

There is little sophistication in these attacks. The attackers are using stolen infrastructure for the most part, and relying on organizations to have unpatched applications installed on their computers. Targeted entities are either those that host intellectual property of value, or those that can be used as an asset in future malware campaigns. Even if an organization considers itself to be immune to the intellectual property bait, they could be compromised to aid the attackers in additional attack campaigns.

.HLPing Targeted Attacks

Thanks to Takayoshi Nakayama for his research and contributions to this blog.

Targeted attacks have been a pretty popular topic of discussion in the security industry in recent years. Many may recall the incident involving Hydraq—from January 2010—and Shady RAT was something discussed more recently.

Most targeted attacks involve emails with malware attachments as the trigger point of the attack. Once a computer is infected with the malware, an attacker can compromise not only the computer, but can also work to expose the infrastructure of the targeted organization and the sensitive data it possesses.

In the early stages of the targeted attacks involving emails that I started seeing around 2005, attachments included files such as Word documents, Excel spreadsheets, PowerPoint presentations, and even Access database files. At some point along the way, PDF files as attachments came along. Of course, we can’t forget about the simple executables with forged icons that looked like Microsoft Office files. Targeted attacks have also used regional software as well. Software such as Ichitaro, developed by the Japanese vendor Justsystem, is a common target. Lhaca archiving software (developed by a Japanese author) was also exploited.

Now we’re seeing the Windows Help File (.hlp) extension being used to deliver these attacks. .hlp files are typically used by Windows Help, which is a program included in Windows that allows users search for and read help details. An .hlp file typically contains documentation and indexes for software and Windows. .hlp files are not new to the malware game; they have long been used, but not as email attachments for the infection vector.

So, why use this type of file? The reason may be because the attackers do not have to rely on vulnerabilities like they do for the other file types I mentioned above. Usually, a vulnerability needs to be exploited in order for malicious files to execute code. If the targeted system is patched, the attack will not succeed. However, .hlp files can call the Windows API and therefore run the shell code encoded in the file. So, by enticing a user to open an .hlp file, malicious files can easily be dropped onto a system. But from a user’s point of view, the only thing that happens is that Windows Help opens (as shown below).

Under normal circumstances, no user should ever receive .hlp files by email. However, email recipients can easily recognize the icon for the .hlp file type, as shown below:

Of the samples I have observed, none have forged icons. So, avoiding these files is relatively simple compared to other file types. However, since human beings are not perfect, one out of the many targets will eventually end up opening it. So, for those administrators securing their networks, if there isn’t any justification for allowing .hlp files to be delivered by email, I would advise that the file extension be filtered out.