Cranefly hackers using Microsoft IIS logs to deliver malware
The aim appears to be intelligence gathering, rather than ransomware or data theft.
Symantec researchers have uncovered a new dropper (Trojan variant) that criminals are using to deploy malicious tools, by reading commands from seemingly harmless Internet Information Services (IIS) logs.
The researchers said a threat actor known as Cranefly is using the Trojan.Geppei dropper to install new Trojan.Danfuan malware, as well as other malicious software.
Mandiant uncovered Cranefly for the very first time this May, when the firm described the activities of a group it called UNC3524. It said the gang made a 'significant effort' to target individuals working in corporate development, mergers and acquisitions, and other large business activities.
The attackers remained on target networks for at least 18 months and deployed backdoors on equipment that lacked security measures. The researchers observed the attackers downloading the QuietExit backdoor, which is based on the free and open-source Dropbear SSH client-server programme.
In its new advisory, Symantec said its researchers discovered the Geppei dropper on multiple victim machines.
Geppei can convert Python script into an executable file when conducting attacks using PyInstaller. It reads commands from an official IIS log, which are used to keep track of data from IIS, including web pages and applications. By disguising commands as web access requests, the attackers can send commands to a hacked web server.
Those commands are logged by IIS as normal, but Geppei can interpret them as instructions.
The instructions Geppei reads are .ashx files with malicious encoding. These files, which function as backdoors, are stored in an arbitrary folder, the location of which is specified by a command parameter.
In the malicious HTTP requests Geppei processes, the threat actors often make use of the strings Wrde, Exco, and CIIo. In general, none of these strings will be seen in the IIS log files. The dropper seems to be prompted to function by the existence of these strings.
Because IIS reports 404 errors in the same log file by default, Cranefly is able to send instructions using a URL that is either a dummy or does not exist.
ReGeorg, a well-known web shell that Symantec and Mandiant have seen Cranefly utilising, is one of the backdoors that Geppei drops. ReGeorg has previously been used by a variety of advanced persistent threat (APT) groups and is publically accessible on GitHub.
In spite of the threat actor's presence on infiltrated networks for an extended period of time (in this case, 18 months), Symantec said that it has not seen any data being exfiltrated from victim workstations.
"The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor," the researchers concluded.
"The tools deployed and efforts taken to conceal this activity [...] indicate that the most likely motivation for this group is intelligence gathering."