Web-based cybersecurity attackers use “stealthier techniques” which are not as “noisy” as active attacks, making it easier to continue undetected for a longer period of time. Stealthy techniques are employed by malware developers which utilize various mechanisms to avoid detection. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice. Once injected into a computer, the stealthier techniques enable the malware to operate and gain control over parts of the system or the entire system without issuing any alerts or notifying the user of its presence.
The Cranefly malware installs another piece of undocumented malware which is a new backdoor known as Trojan.Danfuan and other tools. The previously undocumented malware is being distributed through the Geppei dropper using the new technique of reading commands from apparently innocuous Internet Information Services (IIS) logs. IIS logs are meant to record data from IIS, such as web pages and apps. Geppei and Danfuan aid the Cranefly’s cyber rigidity. Geppei reads commands from a legitimate IIS log and the attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Trojan.Danfuan can read them as commands. The commands contain malicious encoded .ashx files which are saved to an arbitrary folder determined by the command parameter and run as backdoors. The unprecedented Danfuan trojan is a dynamic code compiler that compiles and executes received C# code including a web shell called reGeorg exercised also by other actors like APT28, DeftTorero, and Worok.
The group of Canefly attackers stands out from typical attack groups with a particularly long dwell time utilizing its key malware strain; QUIETEXIT which is a backdoor deployed on network appliances that do not endorse endpoint detection, such as load balancers and wireless access point controllers. Symantec warned that the employment of a novel technique alongside customized tools and the steps taken to masquerade their activity emphasize on the notion that the Cranefly is indeed a “fairly skilled” hacking group with an incentive of intelligence gathering.
