Elephant Beetle steals from Latin American corporations. Phishing attacks abuse Google Docs comments. New Zloader campaign.January 11, 2022
At a glance.
- Elephant Beetle steals from Latin American corporations.
- Phishing attacks abuse Google Docs comments.
- New Zloader campaign.
- A look at Dropping Elephant’s new interests.
Elephant Beetle steals from Latin American corporations.
Researchers at Sygnia have been tracking a financially motivated threat actor dubbed “Elephant Beetle” that’s been targeting the finance and commerce sectors in Latin America. The group is sophisticated and stealthy, and they lurk within a victim’s network for months before they begin stealing money:
- “During the first phase, which can span up to a month, the group focuses on building operational cyber capabilities in the compromised victim’s network. The group studies the digital landscape and plants backdoors while customizing its tools to work within the victim’s network.
- “The group then spends several months studying the victim’s environment, focusing on the financial operation and identifying any flaws. During this stage, it observes the victim’s software and infrastructure to understand the technical process of legitimate financial transactions.
- “The group can then inject fraudulent transactions into the network. These transactions mimic legitimate behavior and siphon off incremental amounts of money from the victim, a classic salami tactic. Although the amount of money stolen in a single transaction may seem insignificant, the group stacks numerous transactions to what amounts to millions of dollars before the group moves on.
- “If during its efforts any fraudulent activity is discovered and blocked, they then simply lay low for a few months only to return and target a different system.”
Sygnia also notes that “[t]he group is highly proficient with Java based attacks and, in many cases, target[s] legacy Java applications running on Linux-based machines as the means for initial entry to the network. Not only that, the group even deploys their own complete Java Web Application on the victim machine to do their bidding while the machine also runs the intentional application.”
Phishing attacks abuse Google Docs comments.
Avanan has observed a “new, massive wave” of phishing attacks abusing Google Docs comments to deliver malicious links to users’ inboxes. This technique was discovered in 2020, and allows an attacker to send an email notification to a user by tagging them in comments in a Google Workspace document:
“We primarily saw [the campaign] target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts. There are several ways that make this email difficult for scanners to stop and for end-users to spot. For one, the notification comes directly from Google. Google is on most Allow Lists and is trusted by users. Secondly, the email doesn’t contain the attacker’s email address, just the display name. This makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize.”
New Zloader campaign.