Update November 2, 2022: Updated with new information regarding the link to UNC3524.
Symantec, by Broadcom Software, has discovered a previously undocumented dropper that is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs.
The dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly to install another piece of hitherto undocumented malware (Trojan.Danfuan) and other tools. The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks.
Initial analysis appeared to show a link between Cranefly activity and the activity of a group called UNC3524 that Mandiant published a blog about in May 2022. This link was primarily based on the use of the Regeorg webshell, however, as this is publicly available on Github, its use alone is not sufficient to establish a firm link.
The first malicious activity Symantec researchers saw on victim machines was the presence of a previously undocumented dropper (Trojan.Geppei). It uses PyInstaller, which converts Python script to an executable file.
Geppei reads commands from a legitimate IIS log. IIS logs are meant to record data from IIS, such as web pages and apps. The attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Trojan.Geppei can read them as commands.
The commands read by Geppei contain malicious encoded .ashx files. These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors.
The strings Wrde, Exco, and Cllo don't normally appear in IIS log files. These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine.
The attackers can use a dummy URL or even a non-existent URL to send these commands because IIS logs 404s in the same log file by default.
flist = ['Wrde', 'Exco', 'Cllo', 'AppleWEBKit']
timenumber = 10
rows = 0
gflag = 0
print('One Two Three')
today = datetime.date.today()
list1 = str(today).split('-')
filename = 'u_ex' + list1[2:] + list1 + list1 + '.log'
path = 'C:/inetpub/logs/LogFiles/W3SVC1/' + filename
fp = open('C:\\windows\\temp\\IIS1.log', 'r')
line = fp.readline()
for i in range(rows):
line = fp.readline() if line != '':
if len(line.split('Wrde')) == 3:
temp1 = line.split('Wrde')
if len(line.split('Exco')) == 3:
temp2 = line.split('Exco')
if len(line.split('Cllo')) == 3:
line = fp.readline()
rows += 1
If the malicious HTTP request sample contains "Wrde" e.g.:
- GET [dummy string]Wrde[passed string to wrde()]Wrde[dummy string]
The passed string to wrde() is decrypted by Decrpt().
The decrypted string is expected to look like the following:
These are the malicious .ashx files, which are saved as:
The backdoors that are dropped by this dropper include:
- Hacktool.Regeorg: ReGeorg is a known malware, a web shell that can create a SOCKS proxy. Two versions of ReGeorg were seen in the activity observed by Symantec.
- Trojan.Danfuan: This is a previously unseen malware. It is a DynamicCodeCompiler that compiles and executes received C# code. It appears to be based on .NET dynamic compilation technology. This type of dynamically compiled code is not created on disk but exists in memory. It acts as a backdoor on infected systems.
When the malicious HTTP request sample contains "Exco", e.g.:
- GET [dummy string]Exco[passed string to exco()]Exco[dummy string]
The passed string to exco() is decrypted by Decrpt() and this decrypted string is an executable command by os.system().
If the malicious HTTP request contains "Cllo", function clear() is called. This function drops a hacking tool called sckspy.exe to disable eventlog logging for Service Control Manager. This appears to be another previously undocumented tool.
It also appears that the clear() function attempts to remove lines that contain command or malicious .ashx file paths from the IIS log file; however, it does not inspect all lines so this function does not seem to work as intended.
text4 = '[malicious base64 encoded exe file]'
if gflag == 0:
fw = open('c:\\windows\\temp\\DMI27F127.txt', 'w')
os.system('certutil -decode c:\\windows\\temp\\DMI27F127.txt c:\\windows\\temp\\DMI27F127.cab')
os.system('expand c:\\windows\\temp\\DMI27F127.cab c:\\windows\\system32\\sckspy.exe')
fp = open('c:\\windows\\temp\\DMI27F128.txt', 'r')
str1 = fp.readline()
if str1.find('success') != -1:
gflag = 1
Dropped malicious .ashx files (i.e. Trojan.Danfuan and Hacktool.Regeorg) are removed in wrde() if it is called with option 'r':
if info == 'r':
temp = info.replace('\\\\', '\\')
os.system('del ' + temp)
name = temp.split('\\')
if name in flist:
Hacktool.Regeorg has been used by multiple advanced persistent threat (APT) groups in the past, but as this code is publicly available on GitHub, its use does not offer sufficient clues for attribution. Symantec was unable to link this activity to any known groups.
The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor. While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity indicate that the most likely motivation for this group is intelligence gathering.
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise
We encourage you to share your thoughts on your favorite social platform.