November 1, 2022

A new dropper has been discovered that installs new backdoors and other tools using a specific method to read commands from relatively harmless Internet Information Services (IIS) logs.

The new dropper discreetly infects victims by abusing legitimate tools and infecting them with a form of malware or dropper known as Geppei (Trojan.Geppei), which is used by Cranefly (aka UNC3524) to deliver another form of undocumented backdoor malware known as Danfuan (Trojan.Danfuan), which grants secret access to infected systems and then spies on them.

Trojan.Geppei uses PyInstaller to convert Python scripts into executable files in the attacks. IIS logs are used to store IIS data such as web pages and apps. The attackers then send commands disguised as web access requests to a compromised web server.

For malicious HTTP requests parsed by Geppei, Cranefly also uses the strings Wrde, Exco, and CIIo to cause the dropper to run on a compromised Microsoft machine. Since IIS logs 404 errors by default, the attacker can inject commands into IIS log files by using dummy URLs or non-existent URLs. The “Wrde” string causes a decryption algorithm to be applied to the request:

When the Geppei malware parses an “Exco” string from an IIS log file, it decrypts the string passed as a parameter: GET [dummy string] Exco [passed string to exco()] Exco [dummy string] Using the os.system() function, the string would be executed as a command.

The last string that triggers Geppei malware is “Cllo,” which invokes a clear() function that drops a hacker tool called sckspy.exe. This tool disables the Service Control Manager’s eventlog logging. In addition, the function attempts to remove lines in the IIS log file that contain commands or malicious.ashx file paths.

The sources for this piece include an article in ZDNet.