FIN13 (also tracked as ElephantBeetle and SQUAB SPIDER) is a financially-motivated actor performing targeted intrusions against financial institutions in Mexico and Latin America dating back to 2016. Rather than using commodity malware such as CobaltStrike and some Ransomware-as-a-Service binary, they make heavy use of custom tooling such as webshells to tunnel network traffic before monetising their intrusion through data theft and injection of fraudulent transactions into payment systems. This series of rules covers the custom tools attributed to FIN13 in this Mandiant blog post.
In one instance, FIN13 deployed a backdoor called MAILSLOT, which communicates over SMTP/POP over SSL, sending and receiving emails to and from a configured attacker-controlled email account for its command and control. MAILSLOT makes FIN13 a rare case of a threat actor who has used email communications for C2.
FIN13: A Cybercriminal Threat Actor Focused on Mexico
rule MAL_FIN13_MAILSLOT {
meta:
description = "Matches strings found in MAILSLOT SMTP/POP C2 used by FIN13 (AKA: ElephantBeetle, SQUAB SPIDER)"
last_modified = "2024-04-09"
author = "@petermstewart"
DaysofYara = "100/100"
sha256 = "5e59b103bccf5cad21dde116c71e4261f26c2f02ed1af35c0a17218b4423a638"
ref = "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico"
strings:
$a1 = "%ws%\\uhost.exe" wide
$a2 = "reg add %ws /v Uhost /t REG_SZ /d \"%ws\" /f" wide
$a3 = "netsh advfirewall firewall add rule name=\"Uhost\"" wide
$a4 = "profile=domain,private,public protocol=any enable=yes DIR=Out program=\"%ws\" Action=Allow" wide
$b1 = "name=\"smime.p7s\"%s"
$b2 = "Content-Transfer-Encoding: base64%s"
$b3 = "Content-Disposition: attachment;"
$b4 = "Content-Type: %smime;"
condition:
uint16(0) == 0x5a4d and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 