In my job as a threat hunter I tend to focus on eCrime activity. Most of the time this means finding and tracking ransomware actors, but now and again I get to work on something a little bit different!
FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
Today’s rule matches strings contained in a PowerShell passive backdoor named BLUEAGAVE, which is deployed during initial access.
rule MAL_FIN13_BLUEAGAVE_PowerShell {
meta:
description = "Matches code sample of BLUEAGAVE PowerShell webshell used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-01"
author = "@petermstewart"
DaysofYara = "92/100"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "$decode = [System.Web.HttpUtility]::UrlDecode($data.item('kmd'))" ascii wide
$a2 = "$Out = cmd.exe /c $decode 2>&1" ascii wide
$a3 = "$url = 'http://*:" ascii wide
condition:
filesize < 5KB and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 