SYMBOLCOMMON_NAMEaka. SYNONYMS

FIN13  (Back to overview)

aka: TG2003, Elephant Beetle

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.

Associated Families

There are currently no families associated with this actor.

References
2022-07-18NetWitnessStefano Maccaglia, Will Gragido
@techreport{maccaglia:20220718:fin13:bcc74d2, author = {Stefano Maccaglia and Will Gragido}, title = {{FIN13 (Elephant Beetle): Viva la Threat! Anatomy of a Fintech Attack}}, date = {2022-07-18}, institution = {NetWitness}, url = {https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf}, language = {English}, urldate = {2022-08-05} } FIN13 (Elephant Beetle): Viva la Threat! Anatomy of a Fintech Attack
FIN13
2022-01-05SYGNIAAmnon Kushnir, Noam Lifshitz, Yoav Mazor, Oren Biderman, Boaz Wasserman, Itay Shohat, Arie Zilberstein
@online{kushnir:20220105:elephant:1bbf7d7, author = {Amnon Kushnir and Noam Lifshitz and Yoav Mazor and Oren Biderman and Boaz Wasserman and Itay Shohat and Arie Zilberstein}, title = {{Elephant Beetle: Uncovering an Organized Financial-Theft Operation}}, date = {2022-01-05}, organization = {SYGNIA}, url = {https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation}, language = {English}, urldate = {2022-01-06} } Elephant Beetle: Uncovering an Organized Financial-Theft Operation
FIN13
2022-01-04SYGNIASygnia Incident Response Team
@techreport{team:20220104:tg2003:bddd8e5, author = {Sygnia Incident Response Team}, title = {{TG2003: Elephant Beetle - Uncovering an Organized Financial-theft Operation}}, date = {2022-01-04}, institution = {SYGNIA}, url = {https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf}, language = {English}, urldate = {2022-05-11} } TG2003: Elephant Beetle - Uncovering an Organized Financial-theft Operation
FIN13
2021-12-07MandiantVan Ta, Jake Nicastro, Rufus Brown, Nick Richard
@online{ta:20211207:fin13:e5e2255, author = {Van Ta and Jake Nicastro and Rufus Brown and Nick Richard}, title = {{FIN13: A Cybercriminal Threat Actor Focused on Mexico}}, date = {2021-12-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/fin13-cybercriminal-mexico}, language = {English}, urldate = {2021-12-08} } FIN13: A Cybercriminal Threat Actor Focused on Mexico
jspRAT win.rekoobe FIN13
Credits: MISP Project