ELMER

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Elmer is a potent malware, associated with another malicious software known as IRONHALO. It is designed to infiltrate computer systems and cause significant damage, including personal information theft, operational disruption, and even holding data for ransom. Elmer primarily spreads through spear-phishing emails targeted at Taiwanese media organizations and webmail addresses. The malware is written in Delphi and operates as a non-persistent proxy-aware HTTP backdoor, capable of performing file uploads and downloads, executing files, and listing processes and directories. To retrieve commands, Elmer sends HTTP GET requests to a hardcoded Command and Control (CnC) server and interprets the HTTP response packets received from the CnC server for an integer string that corresponds to the command that needs to be executed. In one notable instance, two French health insurance companies, Viamedis and Elmer’s, confirmed a cyber-attack compromising the data of over 33 million people, nearly half of France's population. The attack vector was not explicitly stated but could potentially involve Elmer given its prevalence and capabilities. It is also suspected that APT16, a notorious hacking group, might have used Elmer to target a government agency, given the timeframe and the use of the same n-day to deploy the Elmer backdoor. The Elmer variant identified as 6c33223db475f072119fe51a2437a542 beaconed to the CnC IP address 121.127.249.74 over port 443. This variant was observed during several campaigns in December. The exploit documents delivered during these campaigns dropped a binary containing an embedded variant of a backdoor referred to as Elmer. In some cases, the exploit dropped a different malware payload, still referred to as Elmer. As such, it is crucial for organizations to maintain robust cybersecurity measures, including enabling notifications for potential breaches and using two-factor authentication.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ELMER Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
The EPS Awakens - Part 2 « Threat Research
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
CERT-EU
a year ago
Robert Hacker Obituary (1933 – 2023) – Southport, CT | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
Checkpoint
3 months ago
12th February – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Don’t buy into ‘Impostor syndrome’, Women in Cybersecurity conference told | IT World Canada News
CERT-EU
a year ago
Wyoming Office Of Tourism Has Facebook Page 'Hacked,' Warns People Not To Click On Links | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting