Cranefly Cyberspy Group Spawns Unique ISS Technique
The threat actor uses commands from legitimate IIS logs to communicate with custom tools in a savvy bid to hide traces of its activity on victim machines.
October 28, 2022
Hacking group Cranefly is using the new technique of using Internet Information Services (IIS) commands to deliver backdoors to targets and carry out intelligence-gathering campaigns.
Researchers at Symantec have observed a previously undocumented dropper Trojan called Geppei being used to install backdoors (including Danfuan and Regeorg) and other custom tools on SAN arrays, load balancers, and wireless access point (WAP) controllers that may lack appropriate security tools, according to a blog post on Oct. 28.
In examining the activity, the team noticed that Cranefly is using ISS logs to communicate with Geppei.
"The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks, making it novel," Brigid O Gorman, senior intelligence analyst on Symantec’s Threat Hunter team, tells Dark Reading. "It is a clever way for the attacker to send commands to its dropper."
ISS logs record data such as webpages visited and apps used. The Cranefly attackers are sending commands to a compromised Web server by disguising them as Web access requests; IIS logs them as normal traffic, but the dropper can read them as commands, if they contain the strings Wrde, Exco, or Cllo, which don't normally appear in IIS log files.
"These appear to be used for malicious HTTP request parsing by Geppei — the presence of these strings prompts the dropper to carry out activity on a machine," Gorman notes. "It is a very stealthy way for attackers to send these commands."
The commands contain malicious encoded .ashx files, and these files are saved to an arbitrary folder determined by the command parameter and they run as backdoors (i.e., ReGeorg or Danfuan).
Gorman explains that the technique of reading commands from IIS logs could in theory be used to deliver different types of malware if leveraged by threat actors with different goals.
"In this instance, the attackers leveraging it are interested in intelligence gathering and delivering backdoors, but that doesn't mean this technique couldn't be used to deliver other types of threats in the future," she says.
In this case, to date, the Symantec threat team has found evidence of attacks against just a handful of victims.
"That is not unusual for groups focused on espionage, as these attacks tend to be focused on a small number of selected victims," Gorman explains.
Cranefly: A Threat of Reasonable Sophistication
Gorman explains that the development of custom malware and new techniques requires a certain level of skills and resources that not all threat actors have.
"It implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks," she says, noting the gang also takes steps to cover up its activity on victim machines.
The dropped malicious backdoors are removed from victim machines if the Wrde command is called with a specific option ("r").
"A step like that displays quite a high level of operational security by the group," she adds.
Deploying an In-Depth Defense Strategy
Gorman says that the typical rules apply to defending against Cranefly as they do when it comes to most types of cyberattacks: Organizations should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.
"Organizations should also be aware of and monitor the use of dual-use tools inside their network," she says, noting that Symantec would also advise implementing proper audit and control of administrative account usage.
"We'd also suggest creating profiles of usage for admin tools as many of these tools are used by attackers to move laterally undetected through a network," she says. "Across the board, multifactor authentication (MFA) can help limit the usefulness of compromised credentials."
About the Author
You May Also Like