Espionage Hackers Use Microsoft IIS to Plant MalwareHacking Group Uses a New Backdoor Called Danfuan
Threat actors are using Internet Information Services - Microsoft's extensible web server software - to deliver a previously undocumented dropper that is being used to install a new backdoor and other tools.
The hacking group dubbed Cranefly, also known as UNC3524, uses a new backdoor called Danfuan, using another dropper called Geppei, according to researchers at Symantec.
"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks," researchers say.
Cranefly was first documented by Mandiant in May, and the group focuses on targeting the emails of employees that dealt with corporate development, mergers and acquisitions, and large corporate transactions.
Attackers behind the Cranefly had a long dwell time and they used to spend at least 18 months on victim networks by exploiting appliances that didn't support security tools.
Mandiant researchers found that the attackers installed backdoors on security tools like SANS arrays, load balancers, and wireless access point controllers.
Initially, the Symantec researchers observed a malicious activity of dropper Trojan.Geppei in a victim machine using PyInstaller, which converts Python script to an executable file.
Geppei has the capability to read commands from a legitimate IIS log, which is meant to record data from IIS, like web pages and apps.
"The attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal, but Trojan.Geppei can read them as commands," researchers say.
Researchers say commands read by Geppei contain malicious encoded .ashx files, which are saved to an "arbitrary folder determined by the command parameter and they run as backdoors."
The strings like Wrde, Exco, and Cllo don't appear in IIS log files and they are used for malicious HTTP request parsing by Geppei.
"The presence of these strings prompts the dropper to carry out activity on a machine," researchers say. "The attackers can use a dummy URL or even a non-existent URL to send these commands because IIS logs 404s in the same log file by default."
In the following stage, the backdoor drops two droppers Hacktool.Regeorg and Trojan.Danfuan. ReGeorg is a known malware, a web shell that can create a SOCKS proxy and Danfuan is a previously unseen malware that is a DynamicCodeCompiler that compiles and executes received C# code.
"It appears to be based on .NET dynamic compilation technology. This type of dynamically compiled code is not created on disk but exists in memory. It acts as a backdoor on infected systems," researchers say.
Symantec researchers say that the use of a novel technique and custom tools and additional steps taken to hide its traces from victim machines shows how skilled the Cranefly actors are.
Researchers say they have not observed any instances of data being exfiltrated from victim machines. The tools deployed and efforts taken to conceal this activity indicates that the group focuses on "intelligence gathering."