Researchers at Symantec say the Elderwood attack platform is at the center of numerous zero-day attacks launched by hacker crews around the world this year.
The Elderwood platform has been linked to multiple zero-day exploits during the past few years that have been used to target a variety of sectors, from the defense industry to manufacturing to human rights organizations. 2014 started off with a bang for the platform’s users – within just a month, it was used to exploit three zero-day vulnerabilities, Symantec reports.
According to the company, the evidence now points to multiple attack groups using the platform – a situation researchers speculated could be due to either a distributor selling it or the platform being under the control of a parent organization with multiple subgroups.
“Based on our evidence…it seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups,” according to the Symantec Security Response team. “This alone is a sign of the level of resources available to these attackers.”
“If the exploits are being purchased from a third-party distributor, the purchasing organization must have substantial financial resources to pay for the exploits,” Symantec continued. “If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so. These employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.”
In 2012, the platform was linked to several Microsoft and Adobe Flash Player exploits, such as CVE-2012-0779 and CVE-2012-1889. So far this year, the platform has been linked to the following zero-days:
- Adobe Flash Player and AIR Remote Code Execution Vulnerability (CVE-2014-0502)
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324)
Among the groups linked to the platform is Hidden Lynx, an organization that has been active since at least 2009 that Symantec refers to as a “hackers-for-hire” service. The platform has also been tied to a group called Sakurel, which targeted the aerospace industry with exploits for a number of Internet Explorer vulnerabilities as well as vulnerability in Adobe Flash Player.
“Along with the attack groups’ use of these exploits through their campaigns, the exploits’ infrastructure also appears to be linked,” according to Symantec. “The two recent Internet Explorer zero-day exploits for CVE-2014-0322 and CVE-2014-0324 share a number of features, including common shellcode. They both can also decrypt malware retrieved from images and write the decrypted malware to a file with a “.txt” extension in the %Temp% folder.”
“Along with this, exploits for both CVE-2014-0502 and CVE-2014-0322 were hosted on the same site,” Symantec noted. “Finally, there are indications that suggest that a CVE-2014-0324 exploit was used to drop Backdoor.Linfo. The same malware was dropped in 2012 with the CVE-2012-0779 exploit.”
“Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, the various groups using ‘Elderwood’ zero-day exploits are well resourced and motivated,” according to Symantec. “They present a serious threat to potential targets.”
