

A
recently
discovered
hacking
group
known
for
targeting
employees
dealing
with
corporate
transactions
has
been
linked
to
a
new
backdoor
called
Danfuan.
This
hitherto
undocumented
malware
is
delivered
via
another
dropper
called
Geppei,
researchers
from
Symantec,
by
Broadcom
Software,
said
in
a
report
shared
with
The
Hacker
News.
The
dropper “is
being
used
to
install
a
new
backdoor
and
other
tools
using
the
novel
technique
of
reading
commands
from
seemingly
innocuous
Internet
Information
Services
(IIS)
logs,”
the
researchers
said.
The
toolset
has
been
attributed
by
the
cybersecurity
company
to
a
suspected
espionage
actor
called
UNC3524,
aka
Cranefly,
which
first
came
to
light
in
May
2022
for
its
focus
on
bulk
email
collection
from
victims
who
deal
with
mergers
and
acquisitions
and
other
financial
transactions.
One
of
the
group’s
key
malware
strains
is
QUIETEXIT,
a
backdoor
deployed
on
network
appliances
that
do
not
support
antivirus
or
endpoint
detection,
such
as
load
balancers
and
wireless
access
point
controllers,
enabling
the
attacker
to
escape
detection
for
extended
periods
of
time.
Geppei
and
Danfuan
add
to
Cranefly’s
custom
cyber
weaponry,
with
the
former
acting
a
dropper
by
reading
commands
from
IIS
logs
that
masquerade
as
harmless
web
access
requests
sent
to
a
compromised
server.
“The
commands
read
by
Geppei
contain
malicious
encoded
.ashx
files,”
the
researchers
noted. “These
files
are
saved
to
an
arbitrary
folder
determined
by
the
command
parameter
and
they
run
as
backdoors.”
This
includes
a
web
shell
called
reGeorg,
which
has
been
put
to
use
by
other
actors
like
APT28,
DeftTorero,
and
Worok,
and
a
never-before-seen
malware
dubbed
Danfuan,
which
is
engineered
to
execute
received
C#
code.
Symantec
said
it
hasn’t
observed
the
threat
actor
exfiltrating
data
from
victim
machines
despite
a
long
dwell
time
of
18
months
on
compromised
networks.
“The
use
of
a
novel
technique
and
custom
tools,
as
well
as
the
steps
taken
to
hide
traces
of
this
activity
on
victim
machines,
indicate
that
Cranefly
is
a
fairly
skilled
threat
actor,”
the
researchers
concluded.
“The
tools
deployed
and
efforts
taken
to
conceal
this
activity
[…]
indicate
that
the
most
likely
motivation
for
this
group
is
intelligence
gathering.”