A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan.
This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.
The dropper “is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs,” the researchers said.
The toolset has been attributed by the cybersecurity company to a suspected espionage actor called UNC3524, aka Cranefly, which first came to light in May 2022 for its focus on bulk email collection from victims who deal with mergers and acquisitions and other financial transactions.
One of the group’s key malware strains is QUIETEXIT, a backdoor deployed on network appliances that do not support antivirus or endpoint detection, such as load balancers and wireless access point controllers, enabling the attacker to escape detection for extended periods of time.
Geppei and Danfuan add to Cranefly’s custom cyber weaponry, with the former acting a dropper by reading commands from IIS logs that masquerade as harmless web access requests sent to a compromised server.
“The commands read by Geppei contain malicious encoded .ashx files,” the researchers noted. “These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors.”
This includes a web shell called reGeorg, which has been put to use by other actors like APT28, DeftTorero, and Worok, and a never-before-seen malware dubbed Danfuan, which is engineered to execute received C# code.
Symantec said it hasn’t observed the threat actor exfiltrating data from victim machines despite a long dwell time of 18 months on compromised networks.
“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor,” the researchers concluded.
“The tools deployed and efforts taken to conceal this activity […] indicate that the most likely motivation for this group is intelligence gathering.”
