A screen with program code warning of a detected malware script.
Image: James-Thew/Adobe Stock

A new publication from Symantec, a Broadcom software company, reveals details about a new method used by the Cranefly threat actor to communicate with its malware in ongoing attack campaigns.

Geppei malware receives orders from IIS log files

A previously unreported dropper named Trojan.Geppei has been observed by Symantec on several victims of the attack campaigns. The malware uses PyInstaller, which is a known tool to compile Python code into an executable file.

The way the Geppei malware communicates with its controller is completely new: It uses Internet Information Services web server log files. The malware activates when it discovers specific strings in the IIS log file such as “Wrde,” “Exco” or “Cllo.” Those strings do not exist in regular IIS logs. The existence of such strings in any IIS log file is therefore a strong indicator of an attack using the Geppei malware.

SEE: Mobile device security policy (TechRepublic Premium)

The attacker can inject the commands in IIS log files by using dummy URLs or even non-existing URLs, as IIS logs 404 errors by default. The “Wrde” string activates a decryption algorithm on the request:

GET [dummy string]Wrde[passed string to wrde()]Wrde[dummy string]

to extract a string looking like the following:
The .ashx file is then saved to that location and triggered. It serves as a backdoor to access the infected system.

Should the Geppei malware parse a “Exco” string in the IIS log file, it would decrypt the string passed as parameter:

GET [dummy string]Exco[passed string to exco()]Exco[dummy string]

The string would be executed as a command via the os.system() function. The string “Exco” is probably a shortening of “execute command.”

The last string triggering Geppei malware is “Cllo.” It calls a clear() function to drop a hacking tool called sckspy.exe. That tool disables eventlog logging for the Service Control Manager. The function also attempts to remove all lines in the IIS log file which would contain command or malicious .ashx file paths.

The researchers mention that the function does not inspect all lines of the log file, rendering the cleaning incomplete. The dropped malicious .ashx files are removed in wrde() if it is called with a “r” option.

More tools

So far, Symantec has only seen two different kinds of backdoors installed by the “Wrde” function.

The first one is detected as “Hacktool.Regeorg,” which is an already-known malware. It consists of a web shell that has the ability to create a SOCKS proxy. The researchers have seen two different versions of Regeorg being used.

The second one is named “Trojan.Danfuan.” It is a previously unseen malware, a DynamicCodeCompiler that compiles and executes received C# code, according to the researchers. It is based on .NET dynamic compilation technology and is not created on the hard drive but in memory. The purpose of this malware is to serve as a backdoor.

The sckspy.exe tool used by Geppei is also a previously undocumented tool.

Who is Cranefly?

Cranefly has another alias exposed in a publication from Mandiant: UNC3524. Mandiant exposes this threat actor as one that targets emails of employees focused on corporate development, mergers and acquisitions, and large corporate transactions.

Mandiant’s report also mentions the use of the Regeorg tool. The tool is public, yet the threat actor used a little-known version of the web shell, heavily obfuscated to bypass detections. That version has also been reported by the National Security Agency as used by threat actor APT28. This information is not yet conclusive enough to make any attribution.

One sure thing is that Cranefly puts the capital-A in Advanced Persistent Threat. They have shown an expertise to stay under the radar by installing backdoors on uncommon appliances that run without security tools, like load balancers, wireless access point controllers or NAS arrays. They also seem to use proprietary malware, which is another indication of a structured efficient threat actor, and they are known for their long dwell time, spending at least 18 months on victim networks and immediately re-compromising companies that detected them.

How to detect this threat

As exposed earlier, any appearance of the “Wrde,” “Exco” or “Cllo” strings in IIS log files should be highly suspicious and investigated, as it might reveal Geppei infection. Outbound traffic originating from unknown IP addresses should also be carefully checked and investigated.

Mandiant also mentions the use of another malware dubbed “QUIETEXIT” used by the threat actor, which is based on the open source Dropbear SSH client-server software. Therefore, hunting for SSH traffic over ports other than port 22 might also help detect Cranefly activities.

QUIETEXIT can also be discovered on hosts by searching for specific strings, as Mandiant reports. They also provide two grep commands below to help detect QUIETEXIT:

grep “\x48\x8b\x3c\xd3\x4c\x89\xe1\xf2\xae” -rs /

grep ‘\xDD\xE5\xD5\x97\x20\x53\x27\xBF\xF0\xA2\xBA\xCD\x96\x35\x9A\xAD\x1C\x75\xEB\x47’ -rs /

Finally, looking at appliances rc.local folder for command line arguments might help detect Cranefly activities:

grep -e ” -[Xx] -p [[:digit:]{2,6}]” -rs /etc

Of course, usual recommendations apply, as the initial compromise vector stays unknown. All firmware, operating systems and software should be always up to date and patched, in order to avoid falling for a common vulnerability. Security solutions need to be deployed on hosts, and multi-factor authentication should be used wherever possible.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays