A never-before-seen dropper was discovered that installs backdoors and other malicious tools using a novel technique that involves reading commands from seemingly harmless Internet Information Services (IIS) logs.

Dubbed “Geppei” by Broadcom's Symantec threat hunter team, the dropper is being used by a threat actor known as Cranfly or UNC3524 to install another piece of hitherto undocumented malware (Trojan.Danfuan). Symantec notes that it was the first time it encountered the technique in a real-world attack.

Cranefly was first described in Mandiant’s report in May 2022. The group was observed targeting the emails of employees that dealt with corporate development, mergers and acquisitions (M&A), and large corporate transactions.

As per Mandiant’s report, the attackers had a long dwell time, spending at least 18 months on victim networks. They installed backdoors on appliances that didn’t support security tools - such as SANS arrays, load balancers, and wireless access point controllers to evade detection. Mandiant saw the attackers downloading a new backdoor called QuietExit, which is based on the open-source Dropbear SSH client-server software, as well as the ReGeorg web shell used as a secondary backdoor.

In the attack observed by Symantec the threat actors deployed the Geppei dropper, which uses PyInstaller, which converts Python script to an executable file.

Geppei reads commands from a legitimate IIS log. The attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Geppei can read them as commands. The commands contain malicious encoded .ashx files, which are saved an arbitrary folder determined by the command parameter and they run as backdoors.

“The strings Wrde, Exco, and Cllo don't normally appear in IIS log files. These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine. The attackers can use a dummy URL or even a non-existent URL to send these commands because IIS logs 404s in the same log file by default,” the researchers said.

The dropper delivers two payloads on the victim machine - the well-known ReGeorg web shell, which can create a SOCKS proxy, and Danfuan, a previously undocumented malware that acts as a backdoor on the infected systems.

“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor. While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering,” Symantec said.