Sygnia researchers took the wraps off of an organized financial theft campaign by a threat actor, named Elephant Beetle. The group waits for months to study the victim’s network and environment, including financial transactions, and ultimately, exploits unpatched vulnerabilities.
Diving into details
Elephant Beetle targets legacy Java applications on Linux systems to gain entry into a network. Instead of purchasing or developing zero-day exploits, it targets common flaws that might have gone unpatched. In addition to this, the group deploys its own Java Web Application on the victim machine while the machine runs the intentional application. The gang leverages an arsenal of more than 80 tools and scripts to conduct its attacks, while concurrently blending in with the victim environment.
Unique modus operandi
What’s unique about this threat actor is that it conducts extensive research about the victim’s financial systems and operations. Considering the long period Elephant Beetle spends hiding inside a network, it often alters and adapts its techniques and tactics to be pertinent. They impersonate legitimate packages to blend with regular traffic. The web shells, hence, mimic fonts, mages, JS resources, or CSS.
Why this matters
Elephant Beetle is capable of injecting fraudulent transactions among regular activity, in the process stealing millions of dollars over time. The threat actor steals relatively small amounts of money in increments, allowing it to remain undetected and avert suspicion.
While it has been focused on Latin America for at least four years, it is capable of going international. Researchers have already found evidence of a breach in the Latin American operations of a company based in the U.S.
The bottom line
Elephant Beetle has proven to be a significant threat due to its highly organized nature and stealth techniques. It is patient and takes time to learn its victims’ financial systems and operations. Moreover, the group shares similarities with the Mexico-based FIN13 group tracked by Mandiant. Sygnia has offered indicators of compromise and defense recommendations against this aggressive malicious actor. Follow them and stay safe.