Threat Actor Stores Malware Commands in IIS Logs

Symantec researchers have discovered a stealth campaign attributed to the Cranefly hacking group (aka UNC3524). An interesting technique is used by the threat actor as their malware backdoor reads commands from Internet Information Services (IIS) logs. Malicious activity was first spotted from the group's malware dropper, Trojan.Geppei. The malware is able to convert python scripts into executable files using the Python application, PyInstaller. It reads commands from IIS contained in encoded .ashx files, "Geppei reads commands from a legitimate IIS log. IIS logs are meant to record data from IIS, such as web pages and apps. The attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Trojan.Geppei can read them as commands." The malicious .ashx files are uploaded to random folders specified in the code parameters. Specific strings not common in IIS logs such as Wrde, Exco, and Cllo to initiate activity. "These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine. The attackers can use a dummy URL or even a non-existent URL to send these commands because IIS logs 404s in the same log file by default." Each string will initiate different activity, the 'Wrde' string will install additional backdoor malware or web shells. The 'Exco' string is used to decrypt and execute OS commands. Lastly, the 'Cllo' string will download a tool named, sckspy.exe to disable IIS logging. Activity observed from Cranefly has always been associated with long stealth operations for intelligence collection. Mandiant was the first to discover the group's activities in May 2022, maintaining access to compromised environments for over 18 months to steal business intelligence from Exchange emails.