A new backdoor called Danfuan has been connected to a hacking organization that was uncovered and is notorious for attacking employees who deal with corporate transactions. Researchers Discover Sneaky Espionage Hacking Methods Used by Cranefly.
A study provided by experts from Symantec said that Broadcom Software’s Geppei dropper is used to spread this hitherto undocumented malware.
According to the researchers, the dropper “is being used to install a new backdoor. And other tools utilizing the innovative technique of reading commands from seemingly innocent Internet Information Services (IIS) logs.”
The cybersecurity firm has linked the toolset to UNC3524, also known as Cranefly, a suspected espionage actor that first came to light in May 2022. Researchers Discover Sneaky Espionage Hacking Methods Used by Cranefly. Due to its emphasis on mass email collection from targets involved in mergers and acquisitions and other financial transactions.
Espionage Hacking Methods
One of the main malware strains used by the gang is called QUIETEXIT. It installs a backdoor on network equipment, like load balancers and wireless access point controllers, that don’t support antivirus or endpoint detection.
Geppei and Danfuan augment Cranefly’s arsenal of specialized cyber weapons, with Geppei serving as a dropper by reading orders from IIS logs that look like normal web access requests delivered to a compromised host.
The researchers highlighted that “the commands read by Geppei contain maliciously encoded.ashx files.” These files function as backdoors and are saved in an arbitrary folder chosen by the command option.
This includes a web shell known as reGeorg that has been used by other actors such as APT28, DeftTorero. And Worok a previously undiscovered malware known as Danfuan that is designed to execute incoming C# code.
Despite spending 18 months on infected networks, Symantec claimed it hasn’t seen the threat actor steal data from victim machines.
The researchers concluded that Cranefly is a fairly skilled threat actor “given the deployment of a unique approach. And proprietary tools, as well as the steps are taken to mask evidence of this activity on victim workstations.”
The methods used to conceal this activity and the technologies used to acquire intelligence point to gather the group’s primary goal.