FIN13

FIN13, also referred to as Elephant Beetle, is a financially motivated threat actor. Sygnia reported that Elephant Beetle has been active for at least two years and primarily targets finance and commerce organizations in Latin America, stealing millions of dollars by injecting fraudulent transactions into normal financial activity. Sygnia assessed that Elephant Beetle resembles the group tracked by Mandiant as FIN13, and noted strong ties to Spanish-speaking Latin America, especially Mexico, based on tooling language, infrastructure, and victimology. The group primarily targets Java-based web applications and servers, especially IBM WebSphere and Oracle WebLogic, often on Linux systems. Reported initial access and foothold methods include exploitation of known vulnerabilities such as CVE-2017-1000486, CVE-2015-7450, CVE-2010-5326, and EDB-ID-24963, abuse of default credentials on web management interfaces, deployment of open-source and custom web shells including JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2, and malicious WAR deployments masquerading as legitimate packages such as wsexample.war, wsexamples.war, examples.war, and exampl3s.war. FIN13 has also used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data. Observed tradecraft includes file and directory discovery using dir; creation of hidden files and folders in /tmp on Linux and use of attrib.exe to hide gathered host information; use of temporary folders such as C:\Windows\Temp and /tmp prior to exfiltration; host and network reconnaissance using systeminfo, fsutil, fsinfo, nslookup, ipconfig, and PowerShell commands to obtain DNS data; account discovery using GetUserSPNs.vbs and querySpn.vbs to identify accounts associated with Service Principal Names and query SPNs in the domain; credential access by browsing local files on compromised machines for administrative credentials; and collection of stolen credentials, point-of-sale data, and ATM data before exfiltration. For execution and lateral movement, FIN13 has leveraged PowerShell, Windows Command Shell, xp_cmdshell, WMI, SMB, and SQL-server-centric access paths. Reporting states the group used web shells, SQL web shells, custom Java SQL tooling, sqlcmd.exe, modified WmiExec.vbs, and Invoke-SMBExec.ps1, and attempted to use xp_cmdshell on internal MS-SQL servers for remote command execution. Publicly available tools observed in FIN13 operations include Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito v2. FIN13 has also used certutil to decode Base64-encoded custom malware. Persistence reported for FIN13 includes Windows Registry Run keys, specifically HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts. Sygnia also reported persistence through web shells, malicious WAR files, and creation of local MS-SQL accounts with sysadmin privileges.