A new post from Symantec, a Broadcom software company, has revealed details of a new method used by the Cranefly threat to communicate its malware in ongoing attack campaigns.
The Geppei malware receives orders from IIS logs
A previously unreported dropper named Trojan.Geppei from Symantec has been observed in several victims of the attack campaigns. Malware uses PyInstaller, which is a well-known tool for compiling Python code into an executable file.
The way the Geppei malware communicates with its controller is completely new: it uses Internet Information Services web server log files. Malware is activated when it detects specific strings in the IIS log file, such as “Wrde”, “Exco”, or “Cllo”. These strings do not exist in regular IIS log files. Therefore, the existence of such strings in any IIS log file is a strong indicator of an attack using the Geppei malware.
SEE: Mobile Device Security Policy (TechRepublic Premium)
An attacker can inject the commands into the IIS log files by using dummy URLs or even non-existent URLs since IIS logs 404 errors by default. The string “Wrde” activates an algorithm to decrypt the request:
GET [dummy string]Wrde[passed string to wrde()]Wrde[dummy string]
to retrieve a string that looks like this:
w+1+C:\inetpub\wwwroot\test\backdoor.ashx
The .ashx file is then saved to that location and fired. It serves as a back door to access the infected system.
If the Geppei malware parses the string “Exco” in the IIS log file, it will decrypt the string passed as a parameter:
GET [dummy string]Exco[passed string to exco()]Exco[dummy string]
The string will be executed as a command via the os.system() function. The string “Exco” is probably short for “execute command”.
The last string triggering Geppei’s malware is “Cllo”. It calls a clear() function to remove a hacking tool called sckspy.exe. This tool disables event log logging for Service Control Manager. The function also attempts to remove any lines in the IIS log that would contain command paths or malicious .ashx files.
The researchers mention that the function does not check all lines of the log file, making the cleanup incomplete. Dropped malicious .ashx files are removed in wrde() if called with ‘r’ option.
More tools
So far, Symantec has only seen two different types of backdoors installed by the “Wrde” feature.
The first one was detected as “Hacktool.Regeorg”, which is already known malware. It consists of a web shell that has the ability to create SOCKS proxies. Researchers have seen two different versions of Regeorg being used.
The second one is called “Trojan.Danfuan”. It’s a never-before-seen malware, DynamicCodeCompiler, which compiles and executes the resulting C# code, according to the researchers. It is based on .NET technology for dynamic compilation and is not created on the hard disk, but in memory. The purpose of this malware is to serve as a backdoor.
The sckspy.exe tool used by Geppei is also a previously undocumented tool.
Who is Cranefly?
Cranefly has another alias exposed in a publication by Mandiant: UNC3524. Mandiant disclosed this threat as targeting employee emails focused on corporate development, mergers and acquisitions, and large corporate transactions.
The Mandiant report also mentions the use of the Regeorg tool. The tool is public, but the threat uses a little-known version of the web shell, heavily obfuscated, to bypass detections. This version was also reported by the National Security Agency as being used by the APT28 threat. This information is not yet conclusive enough to make any attribution.
One thing for sure is that Cranefly puts a capital A in Advanced Persistent Threat. They have shown an attempt to stay under the radar by installing backdoors on unusual devices that work without security tools, such as load balancers, wireless access point controllers or NAS arrays. They also appear to use proprietary malware, another indication of a structured, effective threat actor, and are known for their long latency, spending at least 18 months on victims’ networks and immediately re-compromising the companies that infected them. discovered.
How to detect this threat
As stated earlier, any occurrence of the strings “Wrde”, “Exco”, or “Cllo” in IIS logs should be highly suspicious and investigated, as it may reveal a Geppei infection. Outbound traffic originating from unknown IP addresses should also be carefully scrutinized and investigated.
Mandiant also mentions the use of another malware called “QUIETEXIT” used by the threat, which is based on the open source Dropbear SSH client-server software. Therefore, looking for SSH traffic over ports other than port 22 can also help detect Cranefly activities.
QUIETEXIT can also be detected on hosts by searching for specific strings, as reported by Mandiant. They also provide two grep commands below to help detect QUIETEXIT:
grep “x48x8bx3cxd3x4cx89xe1xf2xae” -rs /
grep ‘xDDxE5xD5x97x20x53x27xBFxF0xA2xBAxCDx96x35x9AxADx1Cx75xEBx47’ -rs /
Finally, looking at the appliances rc.local folder for command line arguments can help detect Cranefly activities:
grep -e ” -[Xx] -p [[:digit:]{2,6}]” -rs /etc
Of course, the usual recommendations apply as the initial compromise vector remains unknown. All firmware, operating systems, and software must always be up-to-date and patched to avoid common vulnerabilities. Security solutions should be implemented on hosts and multi-factor authentication should be used whenever possible.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.
Cranefly uses new communication technique in attack campaigns