FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
SIXPACK is an ASPX web shell written in C# that functions as a tunneler. SIXPACK accepts HTTP form data that contains a remote host and TCP port to connect to, a timeout value, and Base64-encoded data to send after connecting to the specified host. Response data is read by SIXPACK and returned to the original client.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_SIXPACK {
meta:
description = "Matches strings found in SIXPACK ASPX webshell/tunneler used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-07"
author = "@petermstewart"
DaysofYara = "98/100"
sha256 = "a3676562571f48c269027a069ecb08ee08973b7017f4965fa36a8fa34a18134e"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "Sending a packs..."
$a2 = "Sending a pack..."
$b1 = "nvc[\"host\"]"
$b2 = "nvc[\"port\"]"
$b3 = "nvc[\"timeout\"]"
condition:
filesize < 15KB and
1 of ($a*) and
all of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 