Security News > 2022 > October > Ordinary web access request or command to malware?

A threat group that targets corporate emails is delivering dropper malware through a novel technique that uses Microsoft Internet Information Services logs to send commands disguised as web access requests.

The dropper, dubbed Geppei, is being used by a group Symantec threat researchers call Cranefly to install other undocumented malware.

Cranefly was first described by Mandiant, when the team outlined the operations of a group it called UNC3524.

The group uses the strings Wrde, Exco, and CIIo for malicious HTTP requests parsed by Geppei.

ReGeorg is publicly available on GitHub and has been used by a number of advanced persistent threat groups before, though Symantec has only linked it to Cranefly.

The threat group has been seen squatting in a target's network for as long as 18 months and using a number of techniques to remain undetected, including installing backdoors on appliances like SAN arrays, load balancers, and wireless access point controllers, all of which don't tend to support security tools like antivirus or endpoint protection.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/31/cranefly_microsoft_iis_symantec/