The extent to which a group of hackers dubbed “the Elderwood Project” has left digital traces is astonishing, according to Symantec researchers. In a blog post, they’ve documented efforts by the group, named for a source code variable they use to quickly deploy zero-day exploits through spear phishing e-mails and, increasingly, through Web injections in watering-hole attacks.
What is this exploit? Think about a thirsty zebra on the Serengeti. Predators wait at the oasis, knowing that eventually the zebras will show up to drink. In cyberspace, attackers find their way into a high-profile but insecure website and add iFrame content that injects a backdoor Trojan exploit into browsers’ computers. The iFrame link isn’t the actual exploit, but when clicked it will bring up another Web page that hosts the malware — and it’s game over.
The Symantec researchers write:
In watering-hole attacks, the attackers may compromise a website months before they actually use it in an attack. Once compromised, the attackers periodically connect to the website to ensure that they still have access. This way, the attackers can infect a number of websites in one stroke, thus preserving the value of their zero-day exploit.
The Elderwood Project has been responsible for numerous attacks over the past couple of years, including compromising the Hong Kong Amnesty International website back in May 2012 and other exploits since then. Each of these used Shockwave files that open up remote execution vulnerabilities.
When the researchers decompiled the code, they found variables that were used with odd similar names in each exploit, thus demonstrating the common authorship. Symantec has seen infections across the world, although the majority of them have occurred in the U.S.
The group has written some complex code that involves multiple zero-day exploits, multiple Trojans and multiple delivery vectors. They clearly have manpower and resources for wholesale intellectual property theft. Earlier this month, Microsoft issued patches for the most recent vulnerability.
Symantec isn’t alone in taking a closer look here, and a post by Eric Romang goes into further details about what is going on with these exploits. He uses Google’s cache of the exploit files, which is a nice way to reference them. He found remnants of the exploit on two websites of American businesses, apparently appearing in mid September. Sadly, when security researchers tried to contact the site owners and warn them they were hosting malware, they never got a response.
“It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering-hole attacks, and we expect them to continue to do so in the New Year,” Symantec said. The security company cautions anyone in the defense supply chain to be especially careful.
So, just like when you’re tempted to visit a watering hole, pay attention to your surroundings. And when someone claims they have your back, take a closer look.
- The Elderwoord Project [Symantec - PDF]
- Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack And More [Eric Romang blog]
Image: Zebra Drinking [Bigstock]