An undocumented dropper uses a new technique of reading commands from Internet Information Services (IIS) logs to carry out intelligence gathering and deliver backdoors, according to Symantec.
Symantec’s blog post noted that the dropper, Trojan.Geppei, is linked to a threat actor Symantec calls Cranefly (aka UNC3524) to install undocumented malware and tools. Cranefly is a hacking group that targets corporate networks to steal emails from employees that deal with larger financial transactions, such as mergers and acquisitions.
“We have never seen this technique used to date in real-world attacks. It could, in theory, be used to deliver different types of malware if leveraged by threat actors with different goals,” Brigid O Gorman, senior intelligence analyst at Symantec threat hunter team, told SC Media.
During the malicious activity, the dropper reads commands from a legitimate IIS log, which is meant to record data from IIS, including web pages and apps.
“The attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal, but the dropper can read them as commands if they contain the strings Wrde, Exco, or Cllo, which do not normally appear in IIS log files,” Gorman explained.
“These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine,” the post added.
Hacktool.Regeorg is a backdoor that is used by the dropper, and the code is accessible to the public on GitHub. Therefore, although it has been previously adopted by many APT groups, its use provides no hints for attribution, and Symantec cannot connect this activity to any groups besides UNC3524.
The dropper also deploys a previously unseen malware known as Trojan.Danfuan. Based on .NET dynamic compilation technology, it is a DynamicCodeCompiler that compiles and executes received C# code and acts as a backdoor on compromised systems.
Researchers highlighted that the use of new techniques and custom tools indicates that Cranefly is “a fairly skilled threat actor.” Mandiant, which first uncovered the group in December 2019, said that while their targets of corporate transactions hint at financial motivation, their longer-than-average dwell time of 21 days in 2021 suggests there could also be an espionage mandate.
Symantec’s findings drew a similar conclusion. “While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity indicate that the most likely motivation for this group is intelligence gathering,” the post noted.