A dropper called Trojan.Geppei is being used by a threat actor Symantec has dubbed “Cranefly” (UNC3524) to install previously undocumented malware known as Denfuan and other tools. Danfuan is described as using the novel technique of reading commands from Internet Information Services logs, something Symantec’s researchers have never seen used in real-world attacks before.
The Cranefly attack group was first detected by researchers at Mandiant in May and was described as heavily targeting the emails of employees that dealt with corporate development, mergers and acquisitions and large corporate transactions.
Standing out from typical attack groups, Cranefly has a particularly long dwell time, often spending at least 18 months on a victim’s network while staying under the radar. Avoidance techniques include installing backdoors on appliances that don’t support security tools, such as SANS arrays, load balancers and wireless access point controllers.
The Geppei Trojan uses PyInstaller to convert a Python script to an executable file and reads commands from legitimate IIS logs. IIS logs record data from IIS, such as web pages and apps, with the attackers able to send commands to a compromised web server by disguising them as web access requires. IIS logs them as normal, but the Geppei can read them as commands.
Geppei’s commands contain malicious encoded .ashx files. The files are saved to an arbitrary folder and run as backdoors, with some strings not appearing in the IIS log files. The same files are used for malicious HTTP request parsing by Geppei.
The backdoors dropped by Geppei include Hacktool. Regeorg, a known form of malware that can create a SOCK proxy, but that’s not the interesting one. The previously unknown Trojan virus Danfuan is a DynamicCodeCompiler that compiles and executes C# code, is based on .NET dynamic compilation technology and dynamically compiles code in memory, delivering a backdoor to infected systems.
Just who is behind Cranefly and Danfuan is…