{ "id": "7a92a6b3-99b4-4138-8b50-d11e57b393a5", "created_at": "2026-04-06T00:17:16.2051Z", "updated_at": "2026-04-10T03:37:58.746805Z", "deleted_at": null, "sha1_hash": "fb8df83d58f09d53438e5dcf70159b30f0d89516", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60170, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 12:43:40 UTC\r\nIn 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We've been\r\nmonitoring the attacking group's activities for the last three years as they've consistently targeted a number of\r\nindustries. These attackers have used a large number of zero-day exploits against not just the intended target\r\norganization, but also on the supply chain manufacturers that service the company in their cross hairs. These\r\nattackers are systematic and re-use components of an infrastructure we have termed the \"Elderwood Platform\".\r\nThe term \"Elderwood\" comes from the exploit communication used in some of the attacks. This attack platform\r\nenables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing\r\nemails but we are now seeing an increased adoption of \"watering hole\" attacks (compromising certain websites\r\nlikely to be visited by the target organization).\r\nWe call the overall campaign by this group the \"Elderwood Project\".\r\nSerious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are\r\nrelatively rare; there were approximately eight in 2011. The past few months however has seen four such zero-day\r\nvulnerabilities used by the Elderwood attackers. Although there are other attackers utilizing zero-day exploits (for\r\nexample, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many. The number of\r\nzero-day exploits used indicates access to a high level of technical capability. Here are just some of the most\r\nrecent exploits that they have used:\r\n• Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)\r\n• Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)\r\n• Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)\r\n• Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)\r\nIn order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly\r\nreverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source\r\ncode. The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as\r\nneeded, often within close succession of each other if exposure of the currently used vulnerability is imminent.\r\nThe primary targets identified are within the defense supply chain, a majority of which are not top-tier defense\r\norganizations themselves. These are companies who manufacture electronic or mechanical components that are\r\nsold to top-tier defense companies. The attackers do so expecting weaker security postures in these lower tier\r\norganizations and may use these manufacturers as a stepping-stone to gain access to top-tier defense contractors,\r\nor obtain intellectual property used in the production of parts that make up larger products produced by a top-tier\r\ndefense company. Figure 1 below shows a snippet of the various industries that are part of the defense supply\r\nchain.\r\nFigure 1. Target sectors\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-\r\n37d1af16d411\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 2\n\nOne of the vectors of infection we're seeing a substantial increase in, called a “watering hole” attack, is a clear\r\nshift in the attacking group's method of operations. The concept of the attack is similar to a predator waiting at a\r\nwatering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so\r\nrather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a\r\nparticular audience, which includes the target the attackers are interested in. Having identified this website, the\r\nattackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the\r\nwebsite that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is\r\ncompromised and a back door Trojan is installed onto their computer. Three zero-day exploits, CVE-2012-0779,\r\nCVE-2012- 1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans\r\nfrom compromised websites. The increase in the use of this attack technique requires the attackers to sift through a\r\nmuch greater amount of stolen information than a targeted attack relying on email, as the number of victims\r\ncompromised by a Web injection attack will be much greater.\r\nFigure 2. Web injection process used in watering hole attacks\r\nAny manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries,\r\nbusiness partners, and associated companies, as they may have been compromised and used as a stepping-stone to\r\nthe true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013.\r\nThis is particularly the case for companies who have been compromised in the past and managed to evict the\r\nattackers. The knowledge that the attackers gained in their previous compromise will assist them in any future\r\nattacks.\r\nResearch Paper\r\nWe have published a research paper that details the links between various exploits used by this attacking group,\r\ntheir method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing\r\nevolution and sheer resilience of entities behind targeted attacks.\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=3b0d679a-3707-4075-a2a9-37d1af16d411\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-\r\n37d1af16d411\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434636, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb8df83d58f09d53438e5dcf70159b30f0d89516.pdf", "text": "https://archive.orkl.eu/fb8df83d58f09d53438e5dcf70159b30f0d89516.txt", "img": "https://archive.orkl.eu/fb8df83d58f09d53438e5dcf70159b30f0d89516.jpg" } }