Security News > 2022 > October > Cranefly uses new communication technique in attack campaigns

A new publication from Symantec, a Broadcom software company, reveals details about a new method used by the Cranefly threat actor to communicate with its malware in ongoing attack campaigns.

The malware uses PyInstaller, which is a known tool to compile Python code into an executable file.

The way the Geppei malware communicates with its controller is completely new: It uses Internet Information Services web server log files.

The malware activates when it discovers specific strings in the IIS log file such as "Wrde," "Exco" or "Cllo." Those strings do not exist in regular IIS logs.

The existence of such strings in any IIS log file is therefore a strong indicator of an attack using the Geppei malware.

The attacker can inject the commands in IIS log files by using dummy URLs or even non-existing URLs, as IIS logs 404 errors by default.

News URL

https://www.techrepublic.com/article/cranefly-communication-attack/