ClickCease Cranefly hackers exploit Microsoft IIS to deploy malware
Cybersecurity News,

Cranefly hackers exploit Microsoft IIS to deploy malware

November 10, 2022
Cranefly hackers exploit Microsoft IIS to deploy malware

Microsoft Internet Information Services (IIS), a web server that enables hosting of websites and web applications, is being exploited by the Cranefly hacking group to deploy and control malware on infected devices.

According to a report by cybersecurity firm Symantec, the hacking group exploits IIS technology to send commands to backdoor malware installed on the device.

Just like any web server, once a remote user accesses a web page, the IIS logs the request to log files that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and more. Web servers are mainly used to store requests from any visitor worldwide and are rarely monitored by security software.

While malware receives commands over network connections to command and control servers, web server logs act as a great enabler of malicious activity, as web server logs can be used to store requests from any visitor worldwide. They are also rarely monitored by security software, making them an interesting place to store malicious commands while reducing the chances of being detected.

According to Symantec researchers, Cranefly uses a new dropper named “Trojan.Geppei,” which installs “Trojan.Danfuan,” a previously unknown malware. The researchers explained that Geppei is able to read commands directly from the IIS logs while it searches for specific strings (wrde, Exco, Cilo, which are then analyzed to extract payloads.

“The strings Wrde, Exco and Cilo don’t normally appear in IIS log files. These appear to be used for malicious HTTP request parsing by Geppei, the presence of these strings prompts the dropper to carry out activity on a machine,” explains the Symantec report.

The malware also installs additional malware (‘Wrde’ string) and executes a command (‘Exco’ string) or drops a tool that strongly disables the IIS logging (‘Cllo’ strong). In some cases, if the HTTP request contains the “Wrde” string, Geppei places a ReGeorg webshell or a previously undocumented Danfuan tool in a specific folder. ReGeorg is itself a documented malware that Cranefly uses for reverse proxying. Danfuan is a newly discovered malware that can receive C# code and dynamically compile it into the host’s memory.

To tacitly promote intelligence, Cranefly uses the above technique to gain a foothold on compromised servers, a tactic that helps evade tracking by law enforcement. It also helps attackers transmit commands through various channels such as proxy servers, VPNs, Tor, or online programming IDEs.

The sources for this piece include an article in BleepingComputer.

Summary
Cranefly hackers exploit Microsoft IIS to deploy malware
Article Name
Cranefly hackers exploit Microsoft IIS to deploy malware
Description
Microsoft Internet Information Services (IIS) is being exploited by the Cranefly hackers to deploy and control malware on infected devices.
Author
Publisher Name
Tuxcare
Publisher Logo

TuxCare can help you reduce your risk window to data exfiltration and other cyber security threats.

TALK TO A CYBERSECURITY EXPERT

Expert knowledge of Linux security tips,
live patching education, and Cybersecurity news.

Stay updated with the latest news and announcements from TuxCare.com

Related Articles

Bahamut deploys fake VPN apps...

ESET researchers discovered an ongoing campaign by the Bahamut APT...

December 9, 2022

Windows Server updates causes LSASS...

A memory leak bug on Local Security Authority Subsystem Service...

December 8, 2022

1,650 malicious Docker Hub images...

After discovering malicious behaviors in 1,652 of 250,000 unverified Linux...

December 7, 2022

Arm’s Mali GPU driver flaws...

Despite fixes released by the chipmaker, a set of five...

December 6, 2022

RansomExx malware offers new features...

The APT group DefrayX has launched a new version of...

December 5, 2022

DuckDuckGo launches beta version of...

DuckDuckGo, a privacy-focused search engine, has added an App Tracking...

December 2, 2022

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching