Using an inventory of over 80 unique tools and scripts, a financially driven actor known as ‘Elephant Beetle’ is stealing millions of dollars from organizations worldwide. The group is highly sophisticated and patient, spending months learning the victim’s environment and financial transaction processes before moving on to exploiting the operation’s flaws.
Actors introduce false transactions onto the network and steal modest sums over time, resulting in a multimillion-dollar theft. If they are discovered, they hide for a bit before returning by a new route.
‘Elephant Beetle’ appears to target old Java programs on Linux servers, which is often their point of entry into corporate networks. The TTPs of the actor are outlined in a technical report supplied by the Sygnia Incident Response team before publishing.
Instead of buying or developing zero-day exploits, ‘Elephant Beetle’ targets known and possible unpatched vulnerabilities. Researchers from Sygnia have been watching the organization for the past two years and can confirm that threat actors are abusing these vulnerabilities:
- Primefaces Application Expression Language Injection (CVE-2017-1000486)
- SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326)
- WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450)
- SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963)
The actors can use a specially constructed and obfuscated web shell to remotely execute arbitrary code using all four of the above vulnerabilities. They need to perform long-term monitoring and study; thus, staying unnoticed for several months is the next priority. To do so, they imitate genuine packages, disguise web shells as font, image, CSS, and JS resources, and bundle payloads using WAR archives.
“The Elephant Beetle thieves will also try and literally overwrite non-threatening files, as they slowly prepare for the true attack,” as per the Sygnia report.
Another method employed by the threat actor was to change or completely replace the default web page files, such as iisstart.aspx or default.aspx on IIS web servers. The threat group was able to accomplish two objectives by employing this strategy – the first is that access to their web shell from other servers or the internet is virtually always ensured because the routes for this are frequently granted by default.
Following the first web server breach, the threat actor employs a bespoke Java scanner to retrieve a list of IP addresses for a specified port or HTTP interface. This tool is extremely adaptable and adjustable, and Sygnia claims to have seen it in action during the ‘Elephant Beetle’ operations.
After identifying possible internal server pivoting points, the attackers exploit compromised credentials or RCE vulnerabilities to propagate laterally to additional devices in the network. The organization uses a Base64 encoded PowerShell and a Perl back-connect backdoor to assist lateral movement.
The first backdoor imitates a web server and connects to target ports through a remote code execution channel. In contrast, the second runs an interactive shell for C2 communication (command reception and output). In a few unusual situations, hackers employed a third backdoor to execute shellcode on the host through an encrypted tunnel built using a set of hardcoded certificates.