Cybersecurity researchers from Symantec have discovered a brand new dropper that lurks for months before deploying backdoors, malware (opens in new tab), and other malicious tools.
In a blog post (opens in new tab), the company outlined the dropper, known as Geppei, which is apparently being used by Cranefly, a threat actor that was first described by Mandiant in May 2022.
Now, Symantec claims Cranefly is using Geppei to drop, among other things, the Danfuan malware – a brand new variant that’s yet to be thoroughly analyzed.
Novel approaches
Cranefly targets, first and foremost, people working on corporate development, mergers and acquisitions, or large corporate transactions. The goal is to gather as much intel as possible, hence the immensely long dwell time.
The researchers are saying the group can lurk around for as long as 18 months before being spotted. They manage to pull it off by installing backdoors on endpoints within the network that don’t naturally support cybersecurity tools, antivirus software (opens in new tab), and similar. The devices include SANS arrays, load balancers, or wireless access point controllers, Symantec says.
Another reason they manage to stick around for so long is due to a novel approach to get commands out to Geppei. Apparently, the dropper reads commands from a legitimate IIS log – “the technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks,” the researchers confirmed.
IIS logs are used to record data from IIS, such as web pages and apps. By sending commands to a compromised web server and presenting them as web access requests, Geppei can read them as actual commands.
The group also takes its persistence seriously, the researchers added. Each time the target spotted the intrusion and pushed the attackers out, they’d re-compromise it with a “variety of mechanisms” to keep the data theft campaign going.
So far, Symantec has only managed to link Geppei to Cranefly, and whether or not any other threat actors are using the same approach remains to be seen.
