Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

Danfuan, a new backdoor, was recently linked to a hacking group that specializes in attacking corporate finance and HR departments.

This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.

ALSO, READ How To Protect Your Cell Phone Accounts From Hackers

Using the “novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs,” the dropper “is being used to install a new backdoor and other tools,” the researchers said.

The cybersecurity firm has traced the toolset to an espionage actor they’ve dubbed UNC3524, also known as Cranefly, which first surfaced in May 2022 and is thought to have targeted victims involved in mergers, acquisitions, and other financial transactions through mass email collection.

ALSO, READ How Hackers Are Exploiting Stolen Cookies To Attack Corporate Organisations – Research

The QUIETEXIT backdoor, used on network appliances like load balancers and wireless access point controllers that do not support antivirus or endpoint detection, allows the attacker to remain undetected for much longer.

Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

Geppei and Danfuan complement Cranefly’s bespoke cyber weapons, with the former acting as a dropper by deciphering commands from IIS logs disguised as benign web access requests sent to a compromised server.

ALSO, READ How Organizations Can Secure Clients’ Data From Hackers.

“The commands read by Geppei contain malicious encoded .ashx files,” the researchers noted. “These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors.”

This includes a web shell called reGeorg, which has been put to use by other actors like APT28, DeftTorero, and Worok, and a never-before-seen malware dubbed Danfuan, which is engineered to execute received C# code.

Symantec said it hasn’t observed the threat actor exfiltrating data from victim machines despite a long dwell time of 18 months on compromised networks.

Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor,” the researchers concluded.

“The tools deployed and efforts taken to conceal this activity […] indicate that the most likely motivation for this group is intelligence gathering.”