It’s difficult to definitively link the use of zero-day exploits back to one central group or organization, but a repeating pattern of attack groups using Internet Explorer and Flash zero-days to deliver the same malware families suggest that all of them can be traced back to one exploit kit, dubbed Elderwood.
Researchers at Symantec have uncovered that several recent zero-day exploits share many similarities in their implementation, including the use of the Elderwood exploit kit. The Elderwood platform was first documented in 2012, and is famously responsible for Operation Aurora, which attacked Google and spawned the term "advanced persistent threat." Since it was discovered, it has continuously been updated with the latest zero-day exploits. Within just one month at the start of 2014, it was used to exploit three zero-day vulnerabilities.
Once a zero-day exploit has been deployed in an attack, it can be reverse-engineered, copied and re-purposed for other attackers to use—negating evidence of any concerted effort between groups. In fact, the Elderwood platform is particularly easy to reverse-engineer, as its exploits are neatly packaged and separated from the payload—and it may have been purposely created in this manner to make it easier for its customers, so that non-technical attackers can make use of it too.
However, the evidence in these cases indicates that there is a greater level of communication between attack groups than if the exploits were simply being copied and re-used, Symantec said in an analysis. Along with the attack groups’ use of the same exploits and malware families (like Icefog) through their campaigns, the exploits’ infrastructures also appear to be linked.
“The two recent Internet Explorer zero-day exploits for CVE-2014-0322 and CVE-2014-0324 share a number of features, including common shellcode,” Symantec said. “They both can also decrypt malware retrieved from images and write the decrypted malware to a file with a .txt extension in the %Temp% folder. Along with this, exploits for both CVE-2014-0502 and CVE-2014-0322 were hosted on the same site. Finally, there are indications that suggest that a CVE-2014-0324 exploit was used to drop Backdoor.Linfo. The same malware was dropped in 2012 with the CVE-2012-0779 exploit.”
The firm believes that there is a single parent organization responsible for the zero-days broken into a number of subgroups. Each subgroup is tasked with targeting a particular industry—attacks have targeted defense, defense supply chain manufacturing, IT and human rights, among others. The parent organization obtains the zero-day exploits and coordinates the distribution and utilization of these exploits amongst the subgroups, who each then use individually developed malware families and operate their own network infrastructure.
“The attack groups are separate entities with their own agendas,” the firm explained. One of them is Hidden Lynx, for example, a large-scale "hacking for hire" group likely based in China.
Researchers added, “These groups all have contact with a single zero-day exploit supplier which delivers the exploits to the groups at the same time. The supplier may give certain groups preferential treatment, offering zero-day exploits to some attack groups a few days before others.”
Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, Symantec said that it’s clear that the various groups using Elderwood zero-day exploits are well resourced and motivated and present a serious threat to potential targets.
“Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits,” Symantec noted. “If the exploits are being purchased from a third party distributor, the purchasing organization must have substantial financial resources to pay for the exploits. If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so. These employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.”