Skip links

Ordinary web access request or command to malware?

A threat group that targets corporate emails is delivering dropper malware through a novel technique that uses Microsoft Internet Information Services (IIS) logs to send commands disguised as web access requests.

The dropper, dubbed Geppei, is being used by a group Symantec threat researchers call Cranefly to install other undocumented malware.

“The technique of reading commands from ISS logs is not something Symantec researchers have seen being used to date in real-world attacks,” the researchers from Symantec’s Threat Hunter Team write in a recent report.

Cranefly was first described by Mandiant, when the team outlined the operations of a group it called UNC3524.

Geppei uses PyInstaller in the attacks, converting Python script to an executable file, they say. IIS logs are used to record such IIS data as web pages and apps. The attackers are sending commands to a compromised web server disguised as web access requests.

“Geppei reads commands from a legitimate IIS log. IIS logs them as normal but Trojan.Geppei can read them as commands,” the analysts write. “The commands read by Geppei contain malicious encoded .ashx files. These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors.”

The group uses the strings Wrde, Exco, and CIIo (none of which usually appear on IIS log files) for malicious HTTP requests parsed by Geppei. The presence of the strings apparently prompts the dropper to do its work on a compromised Microsoft machine. Cranefly can use a dummy or non-existent URL to send commands because IIS logs 404s in the same log file by default.

Included in the backdoors that are dropped by Geppei are ReGeorg, a known web shell that was seen being used by Cranefly by both Symantec and Mandiant. ReGeorg is publicly available on GitHub and has been used by a number of advanced persistent threat (APT) groups before, though Symantec has only linked it to Cranefly.

It also drops the Danfuan trojan, another undocumented piece of malware that compiles and executes received C# code and apparently is based on .NET dynamic compilation technology. This type of code isn’t created on disk but exists in memory, the Symantec researchers say.

“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor,” they write.

“While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering.”

Mandiant analysts write that they had been tracking the group since December 2019. According to the cybersecurity vendors, Cranefly targets the corporate emails of employees with an eye toward messages dealing with corporate development, M&A activity, and large corporate transactions.

The Mandiant researchers note that emails not only hold a lot of organizational information but are also stored in a central location, making it easier for threat groups to collect them. They also include methods for researching and accessing data in emails both on-premises and in the cloud, including eDiscovery and graph APIs, tools that cybercriminals also can use to collect information.

The threat group has been seen squatting in a target’s network for as long as 18 months and using a number of techniques to remain undetected, including installing backdoors on appliances like SAN arrays, load balancers, and wireless access point controllers, all of which don’t tend to support security tools like antivirus or endpoint protection.

The Mandiant researchers write that they saw Cranefly drop both ReGeorg and a new backdoor called QuietExit, which is based on the open-source Dropbear SSH software.

They note that while the attackers’ choice of victims suggest their motivation was financial, their ability to stay undetected well beyond the average dwell time of 21 days suggests espionage.

The research group has a list of indicators of compromise on the post. ®