Elephant Beetle Steals Millions of Dollars from Organizations Around the World

The financially profitable cybercriminal group Elephant Beetle is stealing millions of dollars from organizations worldwide using more than 80 unique tools and scripts.

According to information security company Sygnia, cybercriminals introduce fraudulent transactions into the network and steal small amounts over a long period of time.

As a result, they manage to transfer millions of dollars quietly. If the victim “spotted” them, the hackers lie down for a while and then return through another system.

Typically, the entry point for the Elephant Beetle are outdated Java applications on Linux systems. The group prefers not to buy or find zero-day vulnerabilities, but to exploit known and most likely unpatched vulnerabilities (CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326).

Since attackers take a long time to study the environment and transactions of the attacked organization, their initial goal is to bypass detection. To do this, they mix their malicious traffic with regular traffic, spoofing packages as legitimate ones, presenting web shells as fonts, images, or CSS and JS sources, and hiding the payload in WAR archives.

Teaming performs lateral movement across the network primarily through web application servers and SQL servers using the Windows API (SMB / WMI) and xp_cmdshell. It also uses backdoors.

Let me remind you that we also reported, for example, that Google experts talked about a hacker group using 11 zero-day bugs.

Elephant Beetle uses Spanish code variables and filenames, and most C&C server IPs are Mexican. A Java network scanner was downloaded to Virus Total from Argentina, probably in the early stages of development and testing. Therefore, it can be assumed that the grouping is associated with Latin America and may relate to or overlap with the FIN13 grouping (classification of the information security company Mandiant).

We also talked about the fact that Hackers attack e-banking users by phishing QR codes.