dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
In one instance, FIN13 deployed a backdoor called MAILSLOT, which communicates over SMTP/POP over SSL, sending and receiving emails to and from a configured attacker-controlled email account for its command and control. MAILSLOT makes FIN13 a rare case of a threat actor who has used email communications for C2.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_MAILSLOT {
meta:
description = "Matches strings found in MAILSLOT SMTP/POP C2 used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-09"
author = "@petermstewart"
DaysofYara = "100/100"
sha256 = "5e59b103bccf5cad21dde116c71e4261f26c2f02ed1af35c0a17218b4423a638"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "%ws%\\uhost.exe" wide
$a2 = "reg add %ws /v Uhost /t REG_SZ /d \"%ws\" /f" wide
$a3 = "netsh advfirewall firewall add rule name=\"Uhost\"" wide
$a4 = "profile=domain,private,public protocol=any enable=yes DIR=Out program=\"%ws\" Action=Allow" wide
$b1 = "name=\"smime.p7s\"%s"
$b2 = "Content-Transfer-Encoding: base64%s"
$b3 = "Content-Disposition: attachment;"
$b4 = "Content-Type: %smime;"
condition:
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
Today’s rule matches strings in the SWEARJAR Java-based webshell.
rule MAL_FIN13_SWEARJAR {
meta:
description = "Matches strings found in SWEARJAR cross-platform backdoor used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-08"
author = "@petermstewart"
DaysofYara = "99/100"
sha256 = "e76e0a692be03fdc5b12483b7e1bd6abd46ad88167cd6b6a88f6185ed58c8841"
sha256 = "2f23224937ac723f58e4036eaf1ee766b95ebcbe5b6a27633b5c0efcd314ce36"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "org/eclipse/jdt/internal/jarinjarloader/RsrcURLConnection.class"
$a2 = "org/eclipse/jdt/internal/jarinjarloader/RsrcURLStreamHandler.class"
$a3 = "org/eclipse/jdt/internal/jarinjarloader/RsrcURLStreamHandlerFactory.class"
$a4 = "bankcard.class"
condition:
filesize < 20KB and
uint16(0) == 0x4b50 and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
SIXPACK is an ASPX web shell written in C# that functions as a tunneler. SIXPACK accepts HTTP form data that contains a remote host and TCP port to connect to, a timeout value, and Base64-encoded data to send after connecting to the specified host. Response data is read by SIXPACK and returned to the original client.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_SIXPACK {
meta:
description = "Matches strings found in SIXPACK ASPX webshell/tunneler used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-07"
author = "@petermstewart"
DaysofYara = "98/100"
sha256 = "a3676562571f48c269027a069ecb08ee08973b7017f4965fa36a8fa34a18134e"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "Sending a packs..."
$a2 = "Sending a pack..."
$b1 = "nvc[\"host\"]"
$b2 = "nvc[\"port\"]"
$b3 = "nvc[\"timeout\"]"
condition:
filesize < 15KB and
1 of ($a*) and
all of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
NIGHTJAR is a Java-based file upload tool observed by Mandiant in multiple FIN13 intrusions.
rule MAL_FIN13_NIGHTJAR {
meta:
description = "Matches strings found in NIGHTJAR file upload tool used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-06"
author = "@petermstewart"
DaysofYara = "97/100"
sha256 = "5ece301c0e0295b511f4def643bf6c01129803bac52b032bb19d1e91c679cacb"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "org/eclipse/jdt/internal/jarinjarloader/RsrcURLConnection.class"
$a2 = "org/eclipse/jdt/internal/jarinjarloader/RsrcURLStreamHandler.class"
$a3 = "org/eclipse/jdt/internal/jarinjarloader/RsrcURLStreamHandlerFactory.class"
$a4 = "FileTransferClient.class"
condition:
filesize < 15KB and
uint16(0) == 0x4b50 and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
CLOSEWATCH is a JSP web shell that communicates with a listener on localhost over a specified port, writes arbitrary files to the victim operating system, executes arbitrary commands on the victim host, disables proxying and issues customizable HTTP GET requests to a range of remote hosts.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_CLOSEWATCH {
meta:
description = "Matches strings found in CLOSEWATCH JSP webshell and scanner used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-05"
author = "@petermstewart"
DaysofYara = "96/100"
sha256 = "e9e25584475ebf08957886725ebc99a2b85af7a992b6c6ae352c94e8d9c79101"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "host=\"localhost\";"
$a2 = "pport=16998;"
$b1 = "request.getParameter(\"psh3\")"
$b2 = "request.getParameter(\"psh\")"
$b3 = "request.getParameter(\"psh2\")"
$b4 = "request.getParameter(\"c\")"
$c1 = "ja!, perra xD"
condition:
filesize < 20KB and
6 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
Today’s rule covers PORTHOLE; a custom multi-threaded network scanner written in Java.
rule MAL_FIN13_PORTHOLE {
meta:
description = "Matches strings found in PORTHOLE Java network scanner used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-04"
author = "@petermstewart"
DaysofYara = "95/100"
sha256 = "84ac021af9675763af11c955f294db98aeeb08afeacd17e71fb33d8d185feed5"
sha256 = "61257b4ef15e20aa9407592e25a513ffde7aba2f323c2a47afbc3e588fc5fcaf"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "IpExtender.class"
$a2 = "PortScanner.class"
$a3 = "ObserverNotifier.class"
condition:
filesize < 20KB and
uint16(0) == 0x4b50 and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
LATCHKEY is a PowerShell to EXE (PS2EXE) compiled dropper that base64 decodes and executes the PowerSploit function Out-Minidump which generates a minidump for the LSASS system process to disk.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_LATCHKEY {
meta:
description = "Matches strings found in LATCHKEY ps2exe loader used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-03"
author = "@petermstewart"
DaysofYara = "94/100"
sha256 = "b23621caf5323e2207d8fbf5bee0a9bd9ce110af64b8f5579a80f2767564f917"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "Unhandeled exception in PS2EXE" wide
$b1 = "function Out-Minidump" base64wide
$b2 = "$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)" base64wide
$b3 = "Get-Process lsass | Out-Minidump" base64wide
condition:
filesize < 50KB and
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
Mandiant’s reporting mentioned a Perl variant of the BLUEAGAVE backdoor but did not include many details; using additional reporting from NetWitness I was able to write a YARA rule to find some samples.
rule MAL_FIN13_BLUEAGAVE_Perl {
meta:
description = "Matches strings found in BLUEAGAVE Perl webshell used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-02"
author = "@petermstewart"
DaysofYara = "93/100"
ref = "https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf"
strings:
$a1 = "'[cpuset]';" ascii wide
$a2 = "$key == \"kmd\"" ascii wide
$a3 = "SOMAXCONN,"
$a4 = "(/\\s*(\\w+)\\s*([^\\s]+)\\s*HTTP\\/(\\d.\\d)/)" ascii wide
$a5 = "s/^\\s+//; s/\\s+$//;" ascii wide
condition:
filesize < 5KB and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
In my job as a threat hunter I tend to focus on eCrime activity. Most of the time this means finding and tracking ransomware actors, but now and again I get to work on something a little bit different!
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
Today’s rule matches strings contained in a PowerShell passive backdoor named BLUEAGAVE, which is deployed during initial access.
rule MAL_FIN13_BLUEAGAVE_PowerShell {
meta:
description = "Matches code sample of BLUEAGAVE PowerShell webshell used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-01"
author = "@petermstewart"
DaysofYara = "92/100"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "$decode = [System.Web.HttpUtility]::UrlDecode($data.item('kmd'))" ascii wide
$a2 = "$Out = cmd.exe /c $decode 2>&1" ascii wide
$a3 = "$url = 'http://*:" ascii wide
condition:
filesize < 5KB and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 