Cranefly threat actors use new stealthy techniques to gather data and control malware (2nd November

Ref# AL2022_70 | Date: Nov 2nd 2022

Description  

The hacker group Cranefly was recently spotted using an undocumented dropper that utilizes a never-before-seen technique of reading Internet Information Services (IIS) logs to carry out intelligence gathering, deliver backdoors and control malware. 

Summary 

Cranefly, aka UNC3524, is a hacking group that was seen targeting corporate networks to steal emails from employees that deal with financial transactions, such as mergers and acquisitions. One of the group”s key malware strains is called QUIETEXIT, which is a backdoor deployed on network appliances that is undetected by antivirus or endpoint detection, such as load balancers and wireless access point controllers. This enabled the Cranefly group to fly under the radar for extended periods of time. Recently, the group was spotted utilizing a new stealthy technique that involves the use of IIS logs to send commands to malware already installed on a targeted device. 

Microsoft Internet Information Services (IIS) is a web server used for hosting websites and web applications. It is also used by other software such as Outlook on the Web (OWA) for Microsoft Exchange to host management apps and web interfaces. Like any web server, the IIS will log a request when a user accesses a webpage in a file that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and some other parameters; these IIS logs are stored and can be used for troubleshooting and analytics. However, the Cranefly group has managed to hide commands in these legitimate IIS logs, where a dropper that has already compromised the web server can read and execute these commands. Specific strings such as Wrde, Exco and Cllo which do not normally appear in IIS logs are embedded and are parsed by the dropper to extract commands and malware. Depending on the string found in the IIS log, the dropper will install additional malware (“Wrde” string), execute a command (“Exco” string), or drop a tool that disables IIS logging (“Cllo” string). 

The initial dropper that infects the web server is called Trojan.Geppei, which sits on the machine and awaits commands sent from the IIS logs. The Geppei dropper can install two additional malware, Hacktool.Regeorg and Trojan.Danfuan. The Hacktool.Regeorg is a documented malware available on GitHub that the Cranefly group uses for reverse proxying and the Trojan.Danfuan is a newly discovered malware based on the .NET dynamic compilation technology that can compile and execute C# code received from an attacker dynamically on the host”s memory.  

Researchers of this threat have concluded that the use of these techniques and custom tools to hide traces of their activities on victim machines indicate that the Cranefly group are skilled threat actors and the most likely motivation for their attack is intelligence gathering. 

Indicators of Compromise: 

For a list of hashes related to the Trojan.Geppei, Hacktool.Regeorg and Trojan.Danfuan, follow the URL: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan 

Remediation  

Since this threat involves attackers sending commands via IIS logs, it is recommended to monitor these logs for the Wrde, Exco and Cllo command strings. It is also recommended to monitor your network for suspicious activities or outgoing traffic as the Trojan.Danfuan malware acts as a backdoor to the compromised system. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.   

PDF Download: Threat actors use new stealthy techniques to gather data and control malware.pdf

References