Cranefly hackers exploit Microsoft IIS to deploy malware

November 10, 2022 - TuxCare PR Team

Microsoft Internet Information Services (IIS), a web server that enables hosting of websites and web applications, is being exploited by the Cranefly hacking group to deploy and control malware on infected devices.

According to a report by cybersecurity firm Symantec, the hacking group exploits IIS technology to send commands to backdoor malware installed on the device.

Just like any web server, once a remote user accesses a web page, the IIS logs the request to log files that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and more. Web servers are mainly used to store requests from any visitor worldwide and are rarely monitored by security software.

While malware receives commands over network connections to command and control servers, web server logs act as a great enabler of malicious activity, as web server logs can be used to store requests from any visitor worldwide. They are also rarely monitored by security software, making them an interesting place to store malicious commands while reducing the chances of being detected.

According to Symantec researchers, Cranefly uses a new dropper named “Trojan.Geppei,” which installs “Trojan.Danfuan,” a previously unknown malware. The researchers explained that Geppei is able to read commands directly from the IIS logs while it searches for specific strings (wrde, Exco, Cilo, which are then analyzed to extract payloads.

“The strings Wrde, Exco and Cilo don’t normally appear in IIS log files. These appear to be used for malicious HTTP request parsing by Geppei, the presence of these strings prompts the dropper to carry out activity on a machine,” explains the Symantec report.

The malware also installs additional malware (‘Wrde’ string) and executes a command (‘Exco’ string) or drops a tool that strongly disables the IIS logging (‘Cllo’ strong). In some cases, if the HTTP request contains the “Wrde” string, Geppei places a ReGeorg webshell or a previously undocumented Danfuan tool in a specific folder. ReGeorg is itself a documented malware that Cranefly uses for reverse proxying. Danfuan is a newly discovered malware that can receive C# code and dynamically compile it into the host’s memory.

To tacitly promote intelligence, Cranefly uses the above technique to gain a foothold on compromised servers, a tactic that helps evade tracking by law enforcement. It also helps attackers transmit commands through various channels such as proxy servers, VPNs, Tor, or online programming IDEs.

The sources for this piece include an article in BleepingComputer.

Summary