A dropper called Trojan.Geppei is being used by a threat actor Symantec has dubbed “Cranefly” (UNC3524) to install previously undocumented malware known as Denfuan and other tools. Danfuan is described as using the novel technique of reading commands from Internet Information Services logs, something Symantec’s researchers have never seen used in real-world attacks before.
The Cranefly attack group was first detected by researchers at Mandiant in May and was described as heavily targeting the emails of employees that dealt with corporate development, mergers and acquisitions and large corporate transactions.
Standing out from typical attack groups, Cranefly has a particularly long dwell time, often spending at least 18 months on a victim’s network while staying under the radar. Avoidance techniques include installing backdoors on appliances that don’t support security tools, such as SANS arrays, load balancers and wireless access point controllers.
The Geppei Trojan uses PyInstaller to convert a Python script to an executable file and reads commands from legitimate IIS logs. IIS logs record data from IIS, such as web pages and apps, with the attackers able to send commands to a compromised web server by disguising them as web access requires. IIS logs them as normal, but the Geppei can read them as commands.
Geppei’s commands contain malicious encoded .ashx files. The files are saved to an arbitrary folder and run as backdoors, with some strings not appearing in the IIS log files. The same files are used for malicious HTTP request parsing by Geppei.
The backdoors dropped by Geppei include Hacktool. Regeorg, a known form of malware that can create a SOCK proxy, but that’s not the interesting one. The previously unknown Trojan virus Danfuan is a DynamicCodeCompiler that compiles and executes C# code, is based on .NET dynamic compilation technology and dynamically compiles code in memory, delivering a backdoor to infected systems.
Just who is behind Cranefly and Danfuan is unknown, however. Multiple advanced persistent threat groups use Hacktool.Regeorg and the code is publicly available on GitHub, so that does not offer any clues. The only clue is the link to the same group first detailed by Mandiant earlier this year, which Mandiant itself said could not be conclusively linked to other threat groups.
“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor,” the report concludes. “While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering.”