Highly skilled cyber attackers are using a never-before-seen technique to hide their malicious activities and compromise victims with trojan malware backdoors.
Thisintelligence gathering and espionage campaign has been detailed by cybersecurity researchers at Symantec.
The researchers found that attackers can spend more than 18 months inside the victims networks, all while taking steps to ensure their activity stays under the radar to avoid detection.
How the attack begins is still uncertain, but victims become infected with a previously undocumented form of malware called “Geppei.”
Geppei, which is used to deliver another form of backdoor malware, named “Danfuan”, provides secret access to compromised machines, along with the ability to snoop on data stored or entered on systems.
The attackers attempt to stay under the radar by installing backdoors on appliances that didn’t support security tools, such as:
- SANS Arrays
- Load Balancers
- Wireless Access Point Controllers
Never-Before-Seen Malware Delivery Technique
Symantec researchers say, what makes this campaign unique is the way Geppei abuses Internet Information Services (IIS) logs to remain undetected.
“The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks,” Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team, told ZDNET.
IIS logs form part of Windows server services and are commonly used for troubleshooting web applications, along with providing information on how users interact with websites and applications.
Geppei reads commands from a legitimate IIS log, which are meant to record data from IIS, such as web pages and apps.
In this scenario, the attackers can send commands to a compromised web server by disguising them as web access requests. The IIS logs them as normal, while the trojan can read them as commands.
The commands read by Geppei contain malicious encoded files that are saved to an arbitrary folder and they run as backdoors.
The Cyber Attackers Behind This Hacking Campaign
The attacks are linked to a group that Symantec calls Cranefly – also known as UNC3524.
Researchers suggest that the novel and exceedingly stealthy methods used in this campaign indicate that it’s the work of a “fairly skilled threat actor” who is motivated by intelligence gathering.
“The development of custom malware and new tools requires a certain level of skills and resources that not all threat actors have.”
“So it implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks,” said O Gorman.
Symantec hasn’t linked the attacks to any particular attacker, but researchers at Mandiant have previously noted that methodologies used in campaigns by Cranefly/UNC3524 “overlapped with techniques used by multiple Russia-based espionage threat actors.”
TechniquesTo Prevent & Detect Attacks
The campaign isn’t widespread but it stillremains active, which poses a danger to organizations.
Cyber criminalsbehind the attack are only going to continue to adopt new techniques to better hide attack methods.
Luckily, there’s manytechniques organizations can employ to help prevent or detect attacks and other malicious cyber campaigns.
Some Sophos Cyber Security Awareness Tips:
- Multi-Factor Authentication (MFA) on all accounts: https://www.bvainc.com/2022/10/12/sophos-cyber-security-awareness-tip-1-multi-factor-mfa/
- Using Strong Passwords & Password Managers: https://www.bvainc.com/2022/10/17/sophos-cyber-security-awareness-tip-2-strong-passwords/
- Update & Patch Software: https://www.bvainc.com/2022/10/27/sophos-cyber-security-awareness-tip-3-updating-software/
- Phishing Awareness & Prevention: https://www.bvainc.com/2022/10/28/sophos-cyber-security-awareness-tip-4-phishing-awareness/
“Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain,” recommends O Gorman.