FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
CLOSEWATCHÂ is a JSP web shell that communicates with a listener on localhost over a specified port, writes arbitrary files to the victim operating system, executes arbitrary commands on the victim host, disables proxying and issues customizable HTTP GET requests to a range of remote hosts.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_CLOSEWATCH {
meta:
description = "Matches strings found in CLOSEWATCH JSP webshell and scanner used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-05"
author = "@petermstewart"
DaysofYara = "96/100"
sha256 = "e9e25584475ebf08957886725ebc99a2b85af7a992b6c6ae352c94e8d9c79101"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "host=\"localhost\";"
$a2 = "pport=16998;"
$b1 = "request.getParameter(\"psh3\")"
$b2 = "request.getParameter(\"psh\")"
$b3 = "request.getParameter(\"psh2\")"
$b4 = "request.getParameter(\"c\")"
$c1 = "ja!, perra xD"
condition:
filesize < 20KB and
6 of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 