Highly skilled cyber attackers are using a never-before-seen technique to hide their malicious activities and compromise victims with trojan malware backdoors.

This intelligence gathering and espionage campaign has been detailed by cybersecurity researchers at Symantec.
The researchers found that attackers can spend more than 18 months inside the victims networks, all while taking steps to ensure their activity stays under the radar to avoid detection.
BVA Business IT Services & Solutions
Let BVA come onsite to perform a quick evaluation of your current technology to find any issues & threats that are costing your business. Then, we’ll provide you with our technical solution recommendations, which will enhance your business and solve your current IT issues!
How the attack begins is still uncertain, but victims become infected with a previously undocumented form of malware called “Geppei.”
Geppei, which is used to deliver another form of backdoor malware, named “Danfuan”, provides secret access to compromised machines, along with the ability to snoop on data stored or entered on systems.
The attackers attempt to stay under the radar by installing backdoors on appliances that didn’t support security tools, such as:
- SANS Arrays
- Load Balancers
- Wireless Access Point Controllers
Never-Before-Seen Malware Delivery Technique
Symantec researchers say, what makes this campaign unique is the way Geppei abuses Internet Information Services (IIS) logs to remain undetected.
“The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks,” Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team, told ZDNET.
IIS logs form part of Windows server services and are commonly used for troubleshooting web applications, along with providing information on how users interact with websites and applications.
Geppei reads commands from a legitimate IIS log, which are meant to record data from IIS, such as web pages and apps.
In this scenario, the attackers can send commands to a compromised web server by disguising them as web access requests. The IIS logs them as normal, while the trojan can read them as commands.
The commands read by Geppei contain malicious encoded files that are saved to an arbitrary folder and they run as backdoors.
Take Control Of Your IT Before Something Bad Happens.
The Cyber Attackers Behind This Hacking Campaign
The attacks are linked to a group that Symantec calls Cranefly – also known as UNC3524.
Researchers suggest that the novel and exceedingly stealthy methods used in this campaign indicate that it’s the work of a “fairly skilled threat actor” who is motivated by intelligence gathering.
“The development of custom malware and new tools requires a certain level of skills and resources that not all threat actors have.”
“So it implies that those behind Cranefly have a certain level of skills that makes them capable of carrying out stealthy and innovative cyberattacks,” said O Gorman.
Symantec hasn’t linked the attacks to any particular attacker, but researchers at Mandiant have previously noted that methodologies used in campaigns by Cranefly/UNC3524 “overlapped with techniques used by multiple Russia-based espionage threat actors.”
Techniques To Prevent & Detect Attacks
The campaign isn’t widespread but it still remains active, which poses a danger to organizations.
Cyber criminals behind the attack are only going to continue to adopt new techniques to better hide attack methods.
Luckily, there’s many techniques organizations can employ to help prevent or detect attacks and other malicious cyber campaigns.
Some Sophos Cyber Security Awareness Tips:
- Multi-Factor Authentication (MFA) on all accounts: https://www.bvainc.com/2022/10/12/sophos-cyber-security-awareness-tip-1-multi-factor-mfa/
- Using Strong Passwords & Password Managers: https://www.bvainc.com/2022/10/17/sophos-cyber-security-awareness-tip-2-strong-passwords/
- Update & Patch Software: https://www.bvainc.com/2022/10/27/sophos-cyber-security-awareness-tip-3-updating-software/
- Phishing Awareness & Prevention: https://www.bvainc.com/2022/10/28/sophos-cyber-security-awareness-tip-4-phishing-awareness/
“Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain,” recommends O Gorman.
BVA Cyber Security Services & Solutions
No matter the industry, cyber security is essential.
As your trusted cyber security service provider, we’ll assist your business in creating a successful in-depth strategy, that encompasses multiple detection, protection, and hardening technologies.