Group description: Elderwood

attack.mitre.org · MITRE ATT&CK · 20 hours ago · news
quality 2/10 · low quality
0 net
Tags
cybersecurity mitre
Elderwood, Elderwood Gang, Beijing Group, Sneaky Panda, Group G0066 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Elderwood Elderwood Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3] ID: G0066 ⓘ Associated Groups : Elderwood Gang, Beijing Group, Sneaky Panda Contributors : Valerii Marchuk, Cybersecurity Help s.r.o. Version : 1.3 Created: 18 April 2018 Last Modified: 17 November 2024 Version Permalink Live Version Associated Group Descriptions Name Description Elderwood Gang [2] [3] Beijing Group [3] Sneaky Panda [3] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1189 Drive-by Compromise Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector. [2] [3] [1] Enterprise T1203 Exploitation for Client Execution Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits. [2] Enterprise T1105 Ingress Tool Transfer The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location. [4] Enterprise T1027 .002 Obfuscated Files or Information : Software Packing Elderwood has packed malware payloads before delivery to victims. [2] .013 Obfuscated Files or Information : Encrypted/Encoded File Elderwood has encrypted documents and malicious executables. [2] Enterprise T1566 .001 Phishing : Spearphishing Attachment Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments. [2] [3] .002 Phishing : Spearphishing Link Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server. [2] [3] Enterprise T1204 .001 User Execution : Malicious Link Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links. [2] [3] .002 User Execution : Malicious File Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments. [2] [3] Software ID Name References Techniques S0204 Briba [2] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Create or Modify System Process : Windows Service , Ingress Tool Transfer , System Binary Proxy Execution : Rundll32 S0203 Hydraq [2] Access Token Manipulation , Create or Modify System Process : Windows Service , Data from Local System , Encrypted Channel : Symmetric Cryptography , Exfiltration Over Alternative Protocol , File and Directory Discovery , Indicator Removal : File Deletion , Indicator Removal : Clear Windows Event Logs , Ingress Tool Transfer , Modify Registry , Obfuscated Files or Information , Process Discovery , Query Registry , Screen Capture , Shared Modules , System Information Discovery , System Network Configuration Discovery , System Service Discovery , System Services : Service Execution S0211 Linfo [2] Command and Scripting Interpreter : Windows Command Shell , Data from Local System , Fallback Channels , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Process Discovery , Scheduled Transfer , System Information Discovery S0205 Naid [2] Create or Modify System Process : Windows Service , Modify Registry , System Information Discovery , System Network Configuration Discovery S0210 Nerex [2] Create or Modify System Process : Windows Service , Ingress Tool Transfer , Modify Registry , Subvert Trust Controls : Code Signing S0208 Pasam [2] Boot or Logon Autostart Execution : LSASS Driver , Data from Local System , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Local Storage Discovery , Process Discovery , System Information Discovery S0012 PoisonIvy [2] Application Window Discovery , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Boot or Logon Autostart Execution : Active Setup , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data from Local System , Data Staged : Local Data Staging , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Obfuscated Files or Information , Process Injection : Dynamic-link Library Injection , Rootkit S0207 Vasport [2] Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Ingress Tool Transfer , Proxy S0206 Wiarp [2] Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Ingress Tool Transfer , Process Injection References Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018. × load more results
← Back to stories