The relatively new hacker group, Cranefly, uses the Danfuan backdoor to target corporate firms and their transactions. Danfuan is a previously undocumented malware spread through another dropper known as Geppei.
Based on investigations, the threat actors use the dropper to install a new backdoor and other tool via a novel technique of reading commands from malicious Internet Information Services logs.
The toolset is from a suspected espionage group called Cranefly, or UNC3524. This entity was recently identified in May this year after researchers spotted it on bulk email collection from victims.
Most of the group’s victims were merging companies or being acquired by other organisations, primarily the ones with financial transactions.
The Cranefly group also obtains another malware strain aside from the Danfuan backdoor.
Reports revealed that the Cranefly group uses another strain alongside the Danfuan backdoor, QUIETEXIT. This backdoor is launched on network appliances that do not support endpoint detection or AV solutions.
Hence, wireless access point controllers and load balancers are prone to attacks and could allow hackers to establish persistence on a targeted device for extended periods.
Cranefly’s Geppei and Danfuan are a lethal duo for its operators. The former could act as a dropper by deciphering commands from the IIS logs that impersonate a safe web access request. Subsequently, these requests will be sent by the Cranefly operators to an infected server.
On the other hand, the commands read by Geppei include compromised encoded [.]ashx files that they save to an arbitrary folder. Moreover, the command parameter will determine the random folder and run it as backdoors.
This strategy includes a web shell dubbed reGeorg that other threat groups have used, like DeftTorero, Worok, and APT28. As of now, reGeorg was also used by the Danfuan operators, which threat actors developed to run a C# code.
Experts revealed that there is no evidence that the threat actors have exfiltrated any data from infected machines despite staying inside for more than a year.
