A hacking group dubbed Cranefly (aka UNC3524) is using a previously unseen technique to send commands to backdoor malware installed on the device.

What’s new?

According to Symantec researchers, Cranefly is utilizing Microsoft IIS web server logs to evade tracking by law enforcement and researchers.
  • Cranefly is using a new dropper, Trojan.Geppei, that further installs another undocumented malware Trojan.Danfuan and other tools.
  • Geppei reads commands from the legitimate IIS logs and looks for specific strings that are then parsed to extract commands and payloads.
  • Cranefly relies on an open-source tool named Hacktool.Regeorg for reverse proxying. This tool has been used by other actors such as APT28, DeftTorero, and Worok in the past.

Diving into the details

The trojan keeps scanning the specific IIS logs for specific keywords (Wrde, Exco, Cllo), and depending on their occurrence, Geppei is prompted to carry out specific activities on a machine.
  • The Wrde string prompts Geppei to drop ReGeorg or Danfuan malware. 
  • Exco string instructs it to decrypt and launch an OS command on the server.
  • With the occurrence of the Cllo string, the malware calls a function that drops a hacking tool named sckspy.exe, which disables event log logging on the Service Control Manager.

The background of Cranefly

Mandiant researchers first discovered Cranefly in December 2019. It is a skilled hacking group that has remained undetected for an extended dwell time of 18 months on compromised networks.

Wrapping up

With new custom tools and evasive techniques, Cranefly is maintaining a foothold on compromised servers and focusing on stealthily gathering intelligence. The use of the Regeorg tool indicates the connection with other hacking groups. The novel technique of abusing IIS logs shows that defenders need to implement advanced monitoring techniques for malicious IIS logs.
Cyware Publisher