FIN13

FIN13, also referred to as Elephant Beetle, is a financially motivated threat actor. Sygnia assessed Elephant Beetle resembles the group tracked by Mandiant as FIN13. The group has been active for at least two years and primarily targets finance and commerce organizations in Latin America, with reporting noting strong ties to Spanish-speaking Latin America, especially Mexico. Sygnia also observed an incident affecting a U.S.-based company with operations in Latin America. The actor steals money through fraudulent transactions and has been reported to siphon millions of dollars from victims. It relies on patience, stealth, and a large toolkit of more than 80 tools and scripts rather than novel exploits. Initial access has focused on unpatched Java-based web applications on Linux servers, especially IBM WebSphere and Oracle WebLogic, as well as abuse of default credentials on web management interfaces. Reported exploitation includes CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326, and SAP NetWeaver ConfigServlet RCE tracked as EDB-ID-24963. FIN13 deploys open-source and custom web shells including JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2, and hides JSP web shells in static resource folders by naming them like legitimate CSS, JS, image, or font files with added .jsp extensions. It has also deployed malicious WAR archives masquerading as legitimate packages, including wsexample.war, wsexamples.war, examples.war, and exampl3s.war. Post-compromise activity includes long dwell time to study victims' financial processes, lateral movement through web application and SQL servers, credential harvesting, and internal tunneling. FIN13 has leveraged xp_cmdshell and the Windows command shell to execute commands, including attempts to execute remote commands on internal MS-SQL servers. It has used WMI for command execution and lateral movement on Windows systems, PowerShell to obtain DNS data, and HTTP requests to chain multiple web shells and contact actor-controlled C2 servers prior to exfiltration. It has used nmap for reconnaissance and scanned for internal MS-SQL servers. Observed tooling includes Mimikatz, Impacket, PwDump7, ProcDump, Incognito v2, Nmap, modified WmiExec.vbs, Invoke-SMBExec.ps1, Reg.exe, 7zip, IISCrack.dll, custom Java scanners, custom Java SSH port-forwarding and tunneling utilities, a PowerShell one-liner backdoor, a Perl one-liner reverse shell, and a backdoor named Cli.exe. The actor has used certutil to decode base64-encoded custom malware. For persistence, FIN13 has used Windows Registry Run keys such as HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts and has created scheduled tasks in the C:\Windows directory. It has collected host information using systeminfo, fsutil, and fsinfo, browsed local files to obtain administrative credentials, and gathered stolen credentials, point-of-sale data, and ATM data before exfiltration. The group is also reported to use RDP for lateral movement.