A sophisticated threat group designated as Cranefly by security firm Symantec is using new techniques and tools to bolster an already comprehensive threat package. Not only is Cranefly using new techniques to further attack campaigns but also a previously undiscovered malware dropper given the name Geppei by researchers.
What alerted researchers to possible malicious activity on targeted infrastructure was the presence of the aforementioned malware dropper.
The malware makes use of PyInstaller which takes the script and converts it into an executable. It was in unpacking Geppei that researchers discovered the stealthy technique alluded to above.
The technique involves the malware reading commands in legitimate logs. Geppei targets IIS logs, or Internet Information Service logs, these store information from web pages visited as well as apps used.
The attackers can send commands to a compromised web server by disguising them as web access requests. It is important to note that while the ISS logs store the log events as normal events, Geppei will read them as commands.
The commands read by Geppei contain malicious encoded .ashx files. These files are then saved to an arbitrary folder then run as backdoors used to grant the threat actor access to the target’s IT infrastructure.
To help the malware parse relevant information the strings “Wrde”, “Exco”, and “Cllo” are used. These do not typically appear in ISS logs and are used by Geppei to parse malicious HTTP requests. Once the malware reads one of the above strings it prompts the dropper to carry out that specific activity on a machine.
The attackers can use a dummy URL or even a non-existent URL to send these commands because IIS logs 404s in the same log file by default. Other specific activities include string encryption and dropping backdoors to grant future access.
Symantec researchers were able to attribute the attacks to Cranefly following research conducted by Mandiant who track the group as UN3524.
Threat actor activity and tactics between the separate events were too similar to ignore. Symantec researchers stated in their report that,
“The attackers had a long dwell time, spending at least 18 months on victim networks, and they took steps to stay under the radar by installing backdoors on appliances that didn’t support security tools - such as SANS arrays, load balancers, and wireless access point controllers. Mandiant saw the attackers downloading a new backdoor called QuietExit, which is based on the open-source Dropbear SSH client-server software. The ReGeorg web shell was also used as a secondary backdoor in the activity observed by Mandiant.”
“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor. While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering.”
A Brief Cranefly History
As noted by Symantec security researchers Mandiant first published information relating to Cranefly, or UNC3524, in May 2022. In that report, researchers noted that the threat group was heavily targeting emails of employees that dealt with corporate development, mergers and acquisitions (M&A), and large corporate transactions. Mandiant introduced the group as follows,
“Since December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk email collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email messages and their attachments offer a rich source of information about an organization, stored in a centralized location for threat actors to collect.”
A quick read of Mandiant’s report clearly shows that the threat group is skilled and experienced. During attack campaigns, the group emphasizes persistence.
Once initial access is achieved great actors could remain undetected for 18 months, this is done primarily through the use of trusted applications where endpoint detection security solutions have very limited, or no visibility, at all.
One such tactic Cranefly uses is by deploying QUIETEXIT, which is based on the open-source Dropbear SSH client-server software. In cases observed by Mandiat QUIETEXIT is used to reverse the traditional client-server roles in an SSH connection for remote access. Interestingly QUIETEXIT has no built-in persistence mechanism, rather Cranefly performs operations for malware persistence.
First, they install a run command as well as hijack legitimate application-specific startup scripts to enable the backdoor to execute on system startup.
The other indicator of Cranefly’s skills and experience is how the group implements operational security to help avoid detection and analysis.
Mandiant researchers noted that this is done by only a small percentage of threat actors and done by the more experienced and skilled groups stalking the Internet.
Cranefly achieves operational security by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes.
It was noted that these devices and appliances were running versions of operating systems that were unsupported by agent-based security tools. Further, these often had an expected level of network traffic that allowed the attackers to blend in.