‘Elephant Beetle’ spends months in victim networks to divert transactions

A financially-motivated actor dubbed ‘Elephant Beetle’ is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts.

The group is very sophisticated and patient, spending months studying the victim’s environment and financial transaction processes, and only then moves to exploit flaws in the operation.

The actors inject fraudulent transactions into the network and steal small amounts over long periods, leading to an overall theft of millions of dollars. If they are spotted, they lay low for a while and return through a different system.

The expertise of ‘Elephant Beetle’ appears to be in targeting legacy Java applications on Linux systems, which is typically their entry point to corporate networks.

The actor’s TTPs are exposed in a detailed technical report which the Sygnia Incident Response team shared with Bleeping Computer before publication.

Exploiting flaws and blending with normal traffic

‘Elephant Beetle’ prefers to target known and likely unpatched vulnerabilities instead of buying or developing zero-day exploits.

Sygnia researchers have observed the group for two years and can confirm the the threat actors exploiting the following flaws:

• Primefaces Application Expression Language Injection (CVE-2017-1000486)
• WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450)
• SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326)
• SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963)

All four of the above flaws enable the actors to execute arbitrary code remotely via a specially crafted and obfuscated web shell.

The actors need to conduct long-term surveillance and research, so the next primary goal is to remain undetected for several months.

To achieve this, they try to blend with regular traffic by mimicking legitimate packages, disguising web shells as font, image, or CSS and JS resources, and using WAR archives to pack payloads.

“The Elephant Beetle thieves will also try and literally overwrite non-threatening files, as they slowly prepare for the true attack,” details the Sygnia report.

“Another technique that was used by the threat actor was modifying or replacing completely the default web page files. – i.e., replacing the iisstart.aspx or default.aspx on IIS web servers.”

“Using this technique allowed the threat group two things – the first is an almost guaranteed access to their web shell from other servers or from the internet, because the routes for this are often allowed by default.”

Moving laterally through custom backdoors

After the first web server has been compromised, the threat actor uses a custom Java scanner that fetches a list of IP addresses for a specific port or HTTP interface.

This tool is highly versatile and configurable, and Sygnia reports seeing it used extensively in the observed ‘Elephant Beetle’ operations.

Having identified potential internal server pivoting points, the actors use compromised credentials or RCE flaws to spread laterally to other devices in the network.

“The threat group moves laterally within the network mainly through web application servers and SQL servers, leveraging known techniques such as Windows APIs (SMB/WMI) and ‘xp_cmdshell’, combined with custom remote execution volatile backdoors.” – Sygnia.

The group uses two one-liner backdoors that facilitate lateral movement; a Base64 encoded PowerShell and a Perl back-connect backdoor.

The first backdoor simulates a web server and binds a remote code execution channel to target ports, while the second one executes an interactive shell for C2 communication (command reception and output).

In some rare cases, the hackers used a third backdoor for shellcode execution on the host via an encrypted tunnel created using a set of hardcoded certificates.

Attribution and defense tips

‘Elephant Beetle’ uses Spanish code variables and file names, and the majority of the C2 IP addresses they use are based in Mexico.

Also, the Java-written network scanner was uploaded to Virus Total from Argentina, probably during the early development and testing phase.

As such, the group appears to be connected to Latin America and may have a relation or overlap with the actor FIN13, tracked by Mandiant.

Some basic advice to defend against this actor includes:

• Avoid using the ‘xp_cmdshell’ procedure and disable it on MS-SQL servers. Monitor for configuration changes and the use of ‘xp_cmdshell’.
• Monitor WAR deployments and validate that the packages deployment functionality is included in the logging policy of the relevant applications.
• Hunt and monitor for the presence and creation of suspicious .class file in the WebSphere applications temp folders.
• Monitor for processes that were executed by either web server parent services processes (i.e., ‘w3wp.exe’, ‘tomcat6.exe’) or by database-related processes (i.e., ‘sqlservr.exe’).
• Implement and verify segregation between DMZ and internal servers.

Finally, make sure to grab the indicators of compromise (IoC) from Sygnia’s report that will help you hunt for ‘Elephant Beetle’ proactively.

Considering that this actor is exploiting old and unpatched vulnerabilities for the initial compromise, it is crucial to keep all of your applications updated with the latest security patches.