ELMER

Elmer is a potent malware, associated with another malicious software known as IRONHALO. It is designed to infiltrate computer systems and cause significant damage, including personal information theft, operational disruption, and even holding data for ransom. Elmer primarily spreads through spear-phishing emails targeted at Taiwanese media organizations and webmail addresses. The malware is written in Delphi and operates as a non-persistent proxy-aware HTTP backdoor, capable of performing file uploads and downloads, executing files, and listing processes and directories. To retrieve commands, Elmer sends HTTP GET requests to a hardcoded Command and Control (CnC) server and interprets the HTTP response packets received from the CnC server for an integer string that corresponds to the command that needs to be executed. In one notable instance, two French health insurance companies, Viamedis and Elmer’s, confirmed a cyber-attack compromising the data of over 33 million people, nearly half of France's population. The attack vector was not explicitly stated but could potentially involve Elmer given its prevalence and capabilities. It is also suspected that APT16, a notorious hacking group, might have used Elmer to target a government agency, given the timeframe and the use of the same n-day to deploy the Elmer backdoor. The Elmer variant identified as 6c33223db475f072119fe51a2437a542 beaconed to the CnC IP address 121.127.249.74 over port 443. This variant was observed during several campaigns in December. The exploit documents delivered during these campaigns dropped a binary containing an embedded variant of a backdoor referred to as Elmer. In some cases, the exploit dropped a different malware payload, still referred to as Elmer. As such, it is crucial for organizations to maintain robust cybersecurity measures, including enabling notifications for potential breaches and using two-factor authentication.