>
Cybersecurity researchers at Symantec have discovered a brand new dropper that lurks for months before opening backdoors, malware (opens in new tab)and other malicious tools.
In a blog post (opens in new tab)the company outlined the dropper, known as Geppei, which is apparently used by Cranefly, a threat actor first described by Mandiant in May 2022.
Now Symantec claims that Cranefly uses Geppei to remove Danfuan malware, among other things – a brand new variant that has yet to be thoroughly analyzed.
new approaches
Cranefly primarily targets people working on business development, mergers and acquisitions or major corporate transactions. The goal is to collect as much information as possible, hence the immensely long residence time.
The researchers say the group may be lurking for as long as 18 months before being spotted. They manage to get it done by installing backdoors on endpoints within the network that don’t naturally support cybersecurity tools, antivirus software (opens in new tab), and similar. The devices include SANS arrays, load balancers or wireless access point controllers, Symantec says.
Another reason they manage to stay so long is due to a new approach to sending commands to Geppei. Apparently the dropper reads commands from a legitimate IIS log – “the technique of reading commands from IIS logs is not something Symantec researchers have used in real-world attacks to date,” the researchers confirmed.
IIS logs are used to record data from IIS, such as web pages and apps. By sending commands to a compromised web server and presenting them as web access requests, Geppei can read them as real commands.
The group also takes its perseverance seriously, the researchers added. Each time the target noticed the intrusion and pushed the attackers out, they would once again compromise it with a “variety of mechanisms” to keep the data theft campaign going.
So far, Symantec has only managed to tie Geppei to Cranefly, and whether other threat actors use the same approach remains to be seen.