Cranefly espionage hackers technique revealed by security reserchers

 The newly uncovered hacking gang known as Danfuan has been connected to a new backdoor that goes by the name Danfuan. Danfuan targets personnel who interact with business transactions.

Cranefly espionage hackers

Researchers from Symantec, via Broadcom Software, claimed in a study that was published with The Hacker News that this heretofore unreported malware is distributed by another dropper dubbed Geppei.

According to the findings of the researchers, the dropper "is being used to install a new backdoor and other tools utilising the unique approach of reading instructions from apparently harmless Internet Information Services (IIS) logs."

The cybersecurity company has determined that the toolset was developed by a suspected state actor known as UNC3524, also known as Cranefly. This actor first came to light in May 2022 due to the fact that its primary focus was on the collection of bulk email from victims who dealt with mergers and acquisitions as well as other types of financial transactions.

One of the most important forms of malware that this organisation uses is called QUIETEXIT. It is a backdoor that is installed on network appliances like load balancers and wireless access point controllers that do not support antivirus software or endpoint detection. This gives the attacker the ability to remain undetected for a considerable amount of time.

Geppei and Danfuan are both contributors to Cranefly's arsenal of customised cyber weapons. Geppei acts as a dropper by reading orders from IIS logs that are disguised as innocuous web access requests and sending them to a server that has been hijacked.

The researchers made the observation that "the instructions read by Geppei include harmful encoded.ashx files." "These files serve as backdoors and are stored in an arbitrary folder, which is defined by the command option."


This comprises a web shell known as reGeorg, which has been used by other actors such as APT28, DeftTorero, and Worok, and a piece of malware known as Danfuan, which has never been seen before and is designed to execute received C# code.

In spite of the threat actor's presence on infiltrated networks for an extended period of time (in this case, 18 months), Symantec said that it has not seen any data being stolen from victim workstations.

The researchers came to the conclusion that the employment of a unique approach and proprietary tools, in addition to the measures taken to mask traces of this activity on victim PCs, suggest that Cranefly is a reasonably sophisticated threat actor.

"The technologies used and the measures made to disguise this activity [...] suggest that the most probable objective for this organisation is intelligence collecting," which is what the passage is referring to.

Did you find any interesting points in this article? If you want to read more unique information that we provide, be sure to follow THN on Facebook, Twitter, and LinkedIn.

You may like these posts

Post a Comment