Symantec security researchers have discovered a novel dropper dubbed Geppei being used by a threat actor called Cranefly to deploy yet another undocumented malware named Danfuan and other tools. The dropper reads its commands from the Internet Information Services (IIS) logs, a technique the researchers say they haven’t seen in use in real-world attacks to date.
The threat actor, Cranefly, otherwise known as UNC3524, was first brought to light in May 2022 by researchers over at Mandiant when they discovered the group targeting emails of employees dealing with corporate development, mergers and acquisitions and large corporate transactions.
Cranefly manages to stay under the radar by lurking for as long as 18 months on the target’s network by deploying backdoors on appliances that don’t usually support security tools, including SANS arrays, load balancers and wireless access point controllers. Mandiant researchers caught Cranefly downloading a new backdoor called QuietExit at the time, with the ReGeorg web shell being used as a backup backdoor.
As for the latest campaign caught by Symantec, the group is using Geppei, an undocumented dropper that uses PyInstaller, a tool that converts Python scripts to executable files.
The dropper takes its commands from IIS logs meant to record data from web pages and apps. This means that the attackers can send commands to a compromised web server as regular web access requests, which are then logged as usual in the IIS logs but are interpreted as commands by the dropper.
These commands include strings like Wrde, Exco and Cllo. They don’t usually appear in IIS logs and appear to be used for malicious HTTP request parsing by Geppei. The presence of these strings in the IIS logs prompts the dropper to start activity on a machine, the activity being downloading and deploying the aforementioned Danfuan and ReGeorg malware.
Except for the fact that it’s a DynamicCodeComplier that compiles and executes C# code and appears to be based on the .NET dynamic compilation technology, little else is known about Danfuan at the moment. The code it dynamically generates exists in memory but not on the disk helping it live as a backdoor undetected in infected systems.
ReGeorg on the other hand is a known malware and functions as a web shell that creates a SOCKS proxy. This is a feature used by some VPN clients to fake their location or in technical terms, hide their IP address from online services. Two versions of ReGeorg were found by Symantec, one of which was already used in the previous campaign discovered by Mandiant.
The use of ReGeorg is yet to be linked with any other group outside of Cranefly. Since the malware’s code is openly available on GitHub, its use doesn’t offer any clues for attribution.
In the News: Elon Musk might revive Vine