Posted on October 29, 2022 at 11:57 AM
The Cranefly hacking group, also known as UNC3524, uses a controlling malware technique. The technique has previously not been seen and is used to deploy malware on infected devices through Microsoft Internet Information Services (IIS) web server logs.
Hackers use controlling malware technique
Microsoft Internet Information Services (IIS) is a web server that enables website hosting and hosting of web applications. The IIS web server is also used by other software, such as Outlook on the Web (OWA), for Microsoft Exchange to host management applications and web interfaces.
Like in any web server, when a remote user obtains access to a web page, the IIS will log the request to log files containing the timestamp, IP addresses of the source, HTTP status codes, and the requested URL, among others.
The web server logs are mainly used for analytics and troubleshooting. A recently released report by Symantec said that the hacking group used the novel technique of deploying the IIS logs to send commands to backdoor malware installed on a device.
Malware is one of the most commonly used tools by hackers. Hackers deploy malware to receive commands using the network connections to the command and control servers. However, several organizations are deploying tools to keep track of the network traffic and detect any malicious communications that threat actors could initiate.
Web server logs are used in storing requests from any website visitor worldwide. These logs are not frequently monitored by security software. Therefore, the logs are a perfect location for hackers to keep malicious commands while lowering the chances of the attack being identified by the organization.
This is the same as the technique used to hide malware within Windows Event Logs detected in May this year. The technique is used by threat actors that want to operate stealthily while avoiding detection.
A report by Symantec researchers that uncovered the new tactic said that it was the first time they had seen it used by malicious actors. However, threat actors that want to remain hidden continue finding new ways of avoiding detection.
Some of the largest cyberspy groups, such as Cranefly, were previously detected by Mandiant after remaining hidden for 18 months within the affected networks. The hackers primarily focus their operations on ways that they can avoid being detected.
A rise in trojan malware tricks
The researchers from Symantec have also detected a new dropper deployed by the Cranefly cybserspy group. The dropper is known as “Trojan.Geppei” that installs “Trojan.Danfuan”, a malware that was not previously known.
Geppei reads commands directly from the IIS logs while searching for specific strings later parsed to access payloads and commands. However, the IIS log files do not normally contain Wrde, Exco, and Cllo.
In the report, the researchers said that “these appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine.”
Based on the string detected within the IIS log, the malware will install additional malware, run commands and drop a tool that will disable IIS logging. For instance, if the HTTP request has the “Wrde” string, Geppei will deploy a ReGeorg webshell or a Danfuan tool that has not been documented previously.
The ReGeorg malware has already been documented. The Cranefly threat actor uses this malware to perform reverse proxying. On the other hand, Danfuan is a new malware that receives C# code and brings the code together on the host’s memory.
If a request is made with the “Exco” string, it will decrypt the backdoor and launch an OS command to the server. The “Cllo” string will then call the clear function that will drop a hacking tool known as “sckspy.exe” that will disable the event log logging within the Service Control Manager.
The Cranefly hacking group uses the technique to maintain its hold on the affected servers while, gathering the intelligence silently. The tactic is also helpful in putting law enforcement and researchers off track. The attacker will deploy commands using several means, such as VPNs, proxy servers, Tor, or online programming IDEs.
It is not known when the threat actors started abusing the method and used it to launch attacks. However, most defenders are likely monitoring IIS logs for web shells. The routines could be changed to search for the command strings used for the campaign.