Project Hyphae

CraneFly Unleashes Novel IIS Attack

Share This Post

Researchers at Symantec have discovered and documented a previously unknown dropper called Geppei. This dropper trojan is being used to install backdoors like Dunfuan and Regeorg on load balancers, wireless access point controllers, and SAN arrays.

What makes this attack so unique is the method of commanding the dropper. The developers, a hacking group Symantec refers to as Cranefly, are using the hosting server’s legitimate IIS logs to communicate with Geppei. The attackers send commands to a compromised web server by disguising them as web access requests. IIS records these requests in its log file, as normal, but Geppei can then read that log file and interpret these requests as commands; commands which often contain malicious, encoded .ashx files to be used as backdoors for attackers.

An in-depth breakdown of how this trojan dropper operates, as well as a list of identified Indicators of Compromise in attacks using Geppei, can be found in Symantec’s original article:

More To Explore

Information Security News 11-28-2022

Know Thy Enemy: Thinking Like a Hacker can Boost Cybersecurity Strategy Article Link: 90% of Organizations Have Microsoft 365 Security Gaps Article Link:

Information Security News 11-21-2022

Transportation Sector Targeted by Both Ransomware and APTs Article Link: Misconfigurations, Vulnerabilities Found in 95% of Applications Article Link: Electronics Repair Technicians Snoop

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.