Web-based cybersecurity attackers use “stealthier techniques” which are not as “noisy” as active attacks, making it easier to continue undetected for a longer period of time. Stealthy techniques are employed by malware developers which utilize various mechanisms to avoid detection. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice. Once injected into a computer, the stealthier techniques enable the malware to operate and gain control over parts of the system or the entire system without issuing any alerts or notifying the user of its presence.
A news report broadcasted by the hacker news outlines the Sealthy Techniques revealed by researchers from Symantec which are being utilized by Cranefly Espionage Hackers. The Cranefly Espionage hackers group is recognized for attacking bulk email collections of employees that worked in corporate development, mergers, acquisitions and large corporate transactions. Initial analysis appeared to show a link between the toolset of Cranefly activity and that of a group called UNC3524 which surfaced for the first time in May 2022. These attackers spent at least 18 months on victim networks without retreating data and used backdoors on appliances that didn’t support security tools to remain undetected.
The Cranefly malware installs another piece of undocumented malware which is a new backdoor known as Trojan.Danfuan and other tools. The previously undocumented malware is being distributed through the Geppei dropper using the new technique of reading commands from apparently innocuous Internet Information Services (IIS) logs. IIS logs are meant to record data from IIS, such as web pages and apps. Geppei and Danfuan aid the Cranefly’s cyber rigidity. Geppei reads commands from a legitimate IIS log and the attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Trojan.Danfuan can read them as commands. The commands contain malicious encoded .ashx files which are saved to an arbitrary folder determined by the command parameter and run as backdoors. The unprecedented Danfuan trojan is a dynamic code compiler that compiles and executes received C# code including a web shell called reGeorg exercised also by other actors like APT28, DeftTorero, and Worok.
The group of Canefly attackers stands out from typical attack groups with a particularly long dwell time utilizing its key malware strain; QUIETEXIT which is a backdoor deployed on network appliances that do not endorse endpoint detection, such as load balancers and wireless access point controllers. Symantec warned that the employment of a novel technique alongside customized tools and the steps taken to masquerade their activity emphasize on the notion that the Cranefly is indeed a “fairly skilled” hacking group with an incentive of intelligence gathering.
The ever growing scope of expanding attack surfaces is of particular concern in today’s dynamic threat landscape. Cybersecurity resilience from attacks like Cranefly using stealthy techniques involves the continuous discovery, inventory, classification, prioritization, security monitoring and visibility into the systems to identify cyber threats that could facilitate data breaches and data leaks.