Home Security Researchers Uncover Stealthy Strategies Utilized by Cranefly Espionage Hackers

Researchers Uncover Stealthy Strategies Utilized by Cranefly Espionage Hackers

by crpt os


A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan.

This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.

The dropper “is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs,” the researchers said.

The toolset has been attributed by the cybersecurity company to a suspected espionage actor called UNC3524, aka Cranefly, which first came to light in May 2022 for its focus on bulk email collection from victims who deal with mergers and acquisitions and other financial transactions.

One of the group’s key malware strains is QUIETEXIT, a backdoor deployed on network appliances that do not support antivirus or endpoint detection, such as load balancers and wireless access point controllers, enabling the attacker to escape detection for extended periods of time.

Geppei and Danfuan add to Cranefly’s custom cyber weaponry, with the former acting a dropper by reading commands from IIS logs that masquerade as harmless web access requests sent to a compromised server.

“The commands read by Geppei contain malicious encoded .ashx files,” the researchers noted. “These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors.”

CyberSecurity

This includes a web shell called reGeorg, which has been put to use by other actors like APT28, DeftTorero, and Worok, and a never-before-seen malware dubbed Danfuan, which is engineered to execute received C# code.

Symantec said it hasn’t observed the threat actor exfiltrating data from victim machines despite a long dwell time of 18 months on compromised networks.

“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor,” the researchers concluded.

“The tools deployed and efforts taken to conceal this activity […] indicate that the most likely motivation for this group is intelligence gathering.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex