Security Experts:

Connect with us

Hi, what are you looking for?



Elderwood Attack Platform Linked to Multiple Internet Explorer Zero-Day Attacks: Symantec

Researchers at Symantec say the Elderwood attack platform is at the center of numerous zero-day attacks launched by hacker crews around the world this year.

Researchers at Symantec say the Elderwood attack platform is at the center of numerous zero-day attacks launched by hacker crews around the world this year.

The Elderwood platform has been linked to multiple zero-day exploits during the past few years that have been used to target a variety of sectors, from the defense industry to manufacturing to human rights organizations. 2014 started off with a bang for the platform’s users – within just a month, it was used to exploit three zero-day vulnerabilities, Symantec reports.

According to the company, the evidence now points to multiple attack groups using the platform – a situation researchers speculated could be due to either a distributor selling it or the platform being under the control of a parent organization with multiple subgroups. 

“Based on our evidence…it seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups,” according to the Symantec Security Response team. “This alone is a sign of the level of resources available to these attackers.”

“If the exploits are being purchased from a third-party distributor, the purchasing organization must have substantial financial resources to pay for the exploits,” Symantec continued. “If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so. These employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.”

In 2012, the platform was linked to several Microsoft and Adobe Flash Player exploits, such as CVE-2012-0779 and CVE-2012-1889. So far this year, the platform has been linked to the following zero-days:

Among the groups linked to the platform is Hidden Lynx, an organization that has been active since at least 2009 that Symantec refers to as a “hackers-for-hire” service. The platform has also been tied to a group called Sakurel, which targeted the aerospace industry with exploits for a number of Internet Explorer vulnerabilities as well as vulnerability in Adobe Flash Player. 

“Along with the attack groups’ use of these exploits through their campaigns, the exploits’ infrastructure also appears to be linked,” according to Symantec. “The two recent Internet Explorer zero-day exploits for CVE-2014-0322 and CVE-2014-0324 share a number of features, including common shellcode. They both can also decrypt malware retrieved from images and write the decrypted malware to a file with a “.txt” extension in the %Temp% folder.”

“Along with this, exploits for both CVE-2014-0502 and CVE-2014-0322 were hosted on the same site,” Symantec noted. “Finally, there are indications that suggest that a CVE-2014-0324 exploit was used to drop Backdoor.Linfo. The same malware was dropped in 2012 with the CVE-2012-0779 exploit.” 

“Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, the various groups using ‘Elderwood’ zero-day exploits are well resourced and motivated,” according to Symantec. “They present a serious threat to potential targets.”

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.