Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)
ID: G0066
Associated Groups: Beijing Group, Sneaky Panda, Elderwood Gang
Version: 1.3
Created: 18 Apr 2018
Last Modified: 11 Apr 2024

Associated Group Descriptions

Name Description
Beijing Group (Citation: CSM Elderwood Sept 2012)
Sneaky Panda (Citation: CSM Elderwood Sept 2012)
Elderwood Gang (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

Techniques Used

Domain ID Name Use
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Elderwood has packed malware payloads before delivery to victims.(Citation: Symantec Elderwood Sept 2012)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Elderwood has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)

.002 Phishing: Spearphishing Link

Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)

Enterprise T1204 .001 User Execution: Malicious Link

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)

.002 User Execution: Malicious File

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)

Software

ID Name References Techniques
S0206 Wiarp (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012) Ingress Tool Transfer, Windows Command Shell, Process Injection, Windows Service, Commonly Used Port
S0205 Naid (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012) System Network Configuration Discovery, Commonly Used Port, System Information Discovery, Modify Registry, Windows Service, Custom Command and Control Protocol
S0203 Hydraq (Citation: 9002 RAT) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: Aurora) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: FireEye Sunshop Campaign May 2013) (Citation: HidraQ) (Citation: HomeUnix) (Citation: Homux) (Citation: HydraQ) (Citation: McRat) (Citation: MdmBot) (Citation: MicroFocus 9002 Aug 2016) (Citation: Novetta-Axiom) (Citation: PaloAlto 3102 Sept 2015) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: Roarur) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) Query Registry, Shared Modules, Service Execution, System Network Configuration Discovery, System Information Discovery, Data from Local System, Modify Registry, Ingress Tool Transfer, Obfuscated Files or Information, Windows Service, Symmetric Cryptography, System Service Discovery, File Deletion, Process Discovery, Screen Capture, Clear Windows Event Logs, Exfiltration Over Alternative Protocol, File and Directory Discovery, Access Token Manipulation
S0204 Briba (Citation: Symantec Briba May 2012) (Citation: Symantec Elderwood Sept 2012) Commonly Used Port, Windows Service, Rundll32, Ingress Tool Transfer, Registry Run Keys / Startup Folder
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Mutual Exclusion, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0210 Nerex (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012) Ingress Tool Transfer, Code Signing, Windows Service, Modify Registry
S0208 Pasam (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012) Commonly Used Port, Process Discovery, Ingress Tool Transfer, File and Directory Discovery, LSASS Driver, System Information Discovery, File Deletion, Data from Local System
S0211 Linfo (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012) System Information Discovery, Fallback Channels, Ingress Tool Transfer, File and Directory Discovery, File Deletion, Scheduled Transfer, Windows Command Shell, Process Discovery, Data from Local System
S0207 Vasport (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012) Web Protocols, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Proxy

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.