Project Hyphae

CraneFly Unleashes Novel IIS Attack

Share This Post

Researchers at Symantec have discovered and documented a previously unknown dropper called Geppei. This dropper trojan is being used to install backdoors like Dunfuan and Regeorg on load balancers, wireless access point controllers, and SAN arrays.

What makes this attack so unique is the method of commanding the dropper. The developers, a hacking group Symantec refers to as Cranefly, are using the hosting server’s legitimate IIS logs to communicate with Geppei. The attackers send commands to a compromised web server by disguising them as web access requests. IIS records these requests in its log file, as normal, but Geppei can then read that log file and interpret these requests as commands; commands which often contain malicious, encoded .ashx files to be used as backdoors for attackers.

An in-depth breakdown of how this trojan dropper operates, as well as a list of identified Indicators of Compromise in attacks using Geppei, can be found in Symantec’s original article:

More To Explore

Information Security News 3-20-2023

LockBit 3.0 Ransomware: Inside the Cyberthreat That’s Costing Millions Article Link: BianLian Ransomware Crew Goes 100% Extortion After Free Decryptor Lands Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.