Cyber threat actors are using a never-before-seen technique to stealthily infect victims with malware by abusing legitimate tools. The campaign has been detailed by cybersecurity researchers who say that the attackers can spend more than 18 months inside the networks of victims while taking steps to ensure their activity stays under the radar to avoid detection in what's thought to be an intelligence-gathering and espionage operation.
How the attack begins is still uncertain, but victims become infected with a previously undocumented form of malware named Geppei. The way the Geppei malware communicates with its controller is completely new: It uses Internet Information Services web server log files. The malware activates when it discovers specific strings in the IIS log file such as “Wrde,” “Exco” or “Cllo.” Those strings do not exist in regular IIS logs. The existence of such strings in any IIS log file is therefore a strong indicator of an attack using the Geppei malware. which is used to deliver another form of backdoor malware that has been named Danfuan.
Danfuan provides secret access to compromised machines, along with the ability to snoop on data stored or entered on systems. This is a previously unseen malware. It is a DynamicCodeCompiler that compiles and executes received C# code. It appears to be based on .NET dynamic compilation technology.
The attackers attempt to stay under the radar by installing backdoors on appliances that didn't support security tools, such as SANS arrays, load balancers, and wireless access point controllers. What makes this campaign unique is the way Geppei abuses Internet Information Services (IIS) logs to remain undetected, something which researchers say they have not seen used in attacks before. IIS logs form part of Windows server services and are commonly used for troubleshooting web applications, along with providing information on how users interact with websites and applications.
Geppei reads commands from a legitimate IIS log, which are meant to record data from IIS, such as web pages and apps. In this scenario, the attackers can send commands to a compromised web server by disguising them as web access requests and, while IIS logs them as normal, the trojan can read them as commands. The commands read by Geppei contain malicious encoded files that are saved to an arbitrary folder and they run as backdoors. The use of IIS logs by the attacker is one of the most interesting things about this campaign. The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks.
The attacks are linked to a group named Cranefly, also known as UNC3524. Researchers suggest that the novel and exceedingly stealthy methods used in this campaign indicate that it's the work of a "fairly skilled threat actor" who is motivated by intelligence gathering. This threat actor as one that targets emails of employees focused on corporate development, mergers and acquisitions, and large corporate transactions.
The development of custom malware and new tools requires a certain level of skills and resources that not all threat actors have, so it implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks.
Investigators have not linked the attacks to any particular attacker, but researchers at Mandiant have previously noted that methodologies used in campaigns by Cranefly/UNC3524 "overlapped with techniques used by multiple Russia-based espionage threat actors". The campaign is not widespread, but that does not mean it is not a danger to organizations as the campaign remains active and those behind it are adopting new techniques to hide attacks. There are actions that can be taken to help prevent this attack and other malicious cyber campaigns. Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
.pdf here: TR-22-305-001.pdf