Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
Microsoft Internet Information Services (IIS), a web server that enables hosting of websites and web applications, is being exploited by the Cranefly hacking group to deploy and control malware on infected devices.
According to a report by cybersecurity firm Symantec, the hacking group exploits IIS technology to send commands to backdoor malware installed on the device.
Just like any web server, once a remote user accesses a web page, the IIS logs the request to log files that contain the timestamp, source IP addresses, the requested URL, HTTP status codes, and more. Web servers are mainly used to store requests from any visitor worldwide and are rarely monitored by security software.
While malware receives commands over network connections to command and control servers, web server logs act as a great enabler of malicious activity, as web server logs can be used to store requests from any visitor worldwide. They are also rarely monitored by security software, making them an interesting place to store malicious commands while reducing the chances of being detected.
According to Symantec researchers, Cranefly uses a new dropper named “Trojan.Geppei,” which installs “Trojan.Danfuan,” a previously unknown malware. The researchers explained that Geppei is able to read commands directly from the IIS logs while it searches for specific strings (wrde, Exco, Cilo, which are then analyzed to extract payloads.
“The strings Wrde, Exco and Cilo don’t normally appear in IIS log files. These appear to be used for malicious HTTP request parsing by Geppei, the presence of these strings prompts the dropper to carry out activity on a machine,” explains the Symantec report.
The malware also installs additional malware (‘Wrde’ string) and executes a command (‘Exco’ string) or drops a tool that strongly disables the IIS logging (‘Cllo’ strong). In some cases, if the HTTP request contains the “Wrde” string, Geppei places a ReGeorg webshell or a previously undocumented Danfuan tool in a specific folder. ReGeorg is itself a documented malware that Cranefly uses for reverse proxying. Danfuan is a newly discovered malware that can receive C# code and dynamically compile it into the host’s memory.
To tacitly promote intelligence, Cranefly uses the above technique to gain a foothold on compromised servers, a tactic that helps evade tracking by law enforcement. It also helps attackers transmit commands through various channels such as proxy servers, VPNs, Tor, or online programming IDEs.
The sources for this piece include an article in BleepingComputer.
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
ESET researchers discovered an ongoing campaign by the Bahamut APT...
A memory leak bug on Local Security Authority Subsystem Service...
After discovering malicious behaviors in 1,652 of 250,000 unverified Linux...
Despite fixes released by the chipmaker, a set of five...
The APT group DefrayX has launched a new version of...
DuckDuckGo, a privacy-focused search engine, has added an App Tracking...