Openhunting Threat Library

Elirks

Elirks
(Type: Backdoor, Info stealer)

(Palo Alto) Elirks, less widely known than {{PlugX}}, is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. We mostly observe attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. We have seen multiple Elirks variants using Japanese blog services for the last couple of years.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
2
2016


Trend Per Month
1
Jun 2016
1
Sep 2016



[News Analysis] News Mention Another Threat Name:

2 - Elirks2 - Logedrut2 - Micrass


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies

2016-09-15 by Kaoru Hayashi from Palo Alto Networks Unit 42

Tracking Elirks Variants in Japan: Similarities to Previous Attacks

2016-06-23 by Kaoru Hayashi from Palo Alto Networks Unit 42

Basic Information (Credit @etda.or.th)

Tool: Elirks

Names: Elirks

Description: (Palo Alto) Elirks, less widely known than {{PlugX}}, is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. We mostly observe attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. We have seen multiple Elirks variants using Japanese blog services for the last couple of years.

Category: Malware

Type: Backdoor, Info stealer

Information: https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/

Information: https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:elirks

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact