Elephant Beetle Steals Millions of Dollars from Organizations Around the World

Elephant Beetle steals millions
Written by Emma Davis

The financially profitable cybercriminal group Elephant Beetle is stealing millions of dollars from organizations around the world using more than 80 unique tools and scripts.

The group is distinguished by high technical skills and great patience – it carefully studies the attacked environment and the victim’s financial transactions for several months and only then proceeds to exploit vulnerabilities.

According to information security company Sygnia, cybercriminals introduce fraudulent transactions into the network and steal small amounts over a long period of time.

Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money.Sygnia experts say.

As a result, they manage to quietly transfer millions of dollars. If the victim “spotted” them, the hackers lie down for a while, and then return again through another system.

Typically, the entry point for the Elephant Beetle are outdated Java applications on Linux systems. The group prefers not to buy or find zero-day vulnerabilities, but to exploit known and most likely unpatched vulnerabilities (CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326).

Since attackers take a long time to study the environment and transactions of the attacked organization, their initial goal is to bypass detection. To do this, they mix their malicious traffic with normal traffic, spoofing packages as legitimate ones, presenting web shells as fonts, images, or CSS and JS sources, and hiding the payload in WAR archives.

Teaming performs lateral movement across the network primarily through web application servers and SQL servers using the Windows API (SMB / WMI) and xp_cmdshell. It also uses backdoors.

Let me remind you that we also reported, for example, that Google experts talked about a hacker group using 11 zero-day bugs.

Elephant Beetle uses Spanish code variables and filenames, and most C&C server IPs are Mexican. A Java network scanner was downloaded to Virus Total from Argentina, probably in the early stages of development and testing. Therefore, it can be assumed that the grouping is associated with Latin America and may relate to or overlap with the FIN13 grouping (classification of the information security company Mandiant).

We also talked about the fact that Hackers attack e-banking users by phishing QR codes.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.