Cranefly Threat Actor in action
Researchers from Symantec have discovered the details of previously unknown tools and techniques used in a stealthy campaign by a suspected threat actor.
A dropper called Trojan.Geppei is being used by a threat actor dubbed Cranefly (UNC3524) to install a malware known as Denfuan. It is described as using the novel technique of reading commands from Internet Information Services logs, something Symantec’s researchers have never seen used in real-world attacks before.
The Cranefly attack group was first detected in May and was described as heavily targeting the emails of employees that dealt with corporate development, mergers and acquisitions and large corporate transactions.
Cranefly has a particularly long dwell time, often spending at least 18 months on a victim’s network while staying under the radar. Avoidance techniques include installing backdoors on appliances that don’t support security tools, such as SANS arrays, load balancers and wireless access point controllers.
The Geppei Trojan uses PyInstaller to convert a Python script to an executable file and reads commands from legitimate IIS logs. IIS logs record data from IIS, such as web pages and apps, with the attackers able to send commands to a compromised web server by disguising them as web access requires. IIS logs them as normal, but the Geppei can read them as commands.
Geppei’s commands contain malicious encoded .ashx files. The files are saved to an arbitrary folder and run as backdoors, with some strings not appearing in the IIS log files. The same files are used for malicious HTTP request parsing by Geppei.
The backdoors dropped by Geppei include Hacktool. Regeorg, a known form of malware that can create a SOCK proxy, but that’s not the interesting one. The previously unknown Trojan virus Danfuan is a DynamicCodeCompiler that compiles and executes C# code, is based on .NET dynamic compilation technology, and dynamically compiles code in memory, delivering a backdoor to infected systems.
Multiple APT use Hacktool.Regeorg and the code is publicly available on GitHub, so that does not offer any clues. The only clue is the link to the same group first detailed by Mandiant earlier this year, which Mandiant itself said could not be conclusively linked to other threat groups.
Indicators of Compromise