The financially profitable cybercriminal group Elephant Beetle is stealing millions of dollars from organizations around the world using more than 80 unique tools and scripts.
The group is distinguished by high technical skills and great patience - it carefully studies the attacked environment and the victim's financial transactions for several months and only then proceeds to exploit vulnerabilities.
According to information security company Sygnia, cybercriminals introduce fraudulent transactions into the network and steal small amounts over a long period. As a result, they manage to quietly transfer millions of dollars. If the victim "spotted" them, the hackers lie low for a while and then return through another system.
Typically, the entry point for the Elephant Beetle is legacy Java applications on Linux systems. The group prefers not to buy or find zero-day vulnerabilities, but to exploit known and most likely unpatched vulnerabilities (CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326).
Since attackers take a long time to study the environment and transactions of the attacked organization, their initial goal is to bypass detection. To do this, they mix their malicious traffic with normal traffic, spoofing packages as legitimate ones, presenting web shells as fonts, images, or CSS and JS sources, and hiding the payload in WAR archives.
Teaming performs lateral movement across the network primarily through web application servers and SQL servers using the Windows API (SMB / WMI) and xp_cmdshell. It also uses backdoors.
Elephant Beetle uses Spanish code variables and filenames, and most C&C server IPs are Mexican. A Java network scanner was downloaded to Virus Total from Argentina, probably in the early stages of development and testing. Therefore, it can be assumed that the grouping is associated with Latin America and may relate to or overlap with the FIN13 grouping (classification of the information security company Mandiant).