Home>Blog>The Hacker News Headlines>Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers
The Hacker News Headlines

Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers

Cranefly Espionage Hackers

A recently discovered hacking group known for targeting
employees dealing with corporate transactions has been linked to a
new backdoor called Danfuan.

This hitherto undocumented malware is delivered via another
dropper called Geppei, researchers from Symantec, by Broadcom
Software, said[1]
in a report shared with The Hacker News.

The dropper “is being used to install a new backdoor and other
tools using the novel technique of reading commands from seemingly
innocuous Internet Information Services (IIS) logs,” the
researchers said.

The toolset has been attributed by the cybersecurity company to
a suspected espionage actor called UNC3524, aka Cranefly, which
first came to light[2]
in May 2022 for its focus on bulk email collection from victims who
deal with mergers and acquisitions and other financial
transactions.

One of the group’s key malware strains is QUIETEXIT, a backdoor
deployed on network appliances that do not support antivirus or
endpoint detection, such as load balancers and wireless access
point controllers, enabling the attacker to escape detection for
extended periods of time.

Geppei and Danfuan add to Cranefly’s custom cyber weaponry, with
the former acting a dropper by reading commands from IIS logs that
masquerade as harmless web access requests sent to a compromised
server.

“The commands read by Geppei contain malicious encoded .ashx
files,” the researchers noted. “These files are saved to an
arbitrary folder determined by the command parameter and they run
as backdoors.”

CyberSecurity

This includes a web shell called reGeorg[3], which has been put to
use by other actors like APT28[4], DeftTorero[5], and Worok[6], and a never-before-seen
malware dubbed Danfuan, which is engineered to execute received C#
code.

Symantec said it hasn’t observed the threat actor exfiltrating
data from victim machines despite a long dwell time of 18 months on
compromised networks.

“The use of a novel technique and custom tools, as well as the
steps taken to hide traces of this activity on victim machines,
indicate that Cranefly is a fairly skilled threat actor,” the
researchers concluded.

“The tools deployed and efforts taken to conceal this activity
[…] indicate that the most likely motivation for this group is
intelligence gathering.”

References

  1. ^
    said
    (symantec-enterprise-blogs.security.com)
  2. ^
    first
    came to light     (thehackernews.com)
  3. ^
    reGeorg
    (malpedia.caad.fkie.fraunhofer.de)
  4. ^
    APT28
    (thehackernews.com)
  5. ^
    DeftTorero
    (securelist.com)
  6. ^
    Worok
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.