Researchers at Symantec have discovered and documented a previously unknown dropper called Geppei. This dropper trojan is being used to install backdoors like Dunfuan and Regeorg on load balancers, wireless access point controllers, and SAN arrays.
What makes this attack so unique is the method of commanding the dropper. The developers, a hacking group Symantec refers to as Cranefly, are using the hosting server’s legitimate IIS logs to communicate with Geppei. The attackers send commands to a compromised web server by disguising them as web access requests. IIS records these requests in its log file, as normal, but Geppei can then read that log file and interpret these requests as commands; commands which often contain malicious, encoded .ashx files to be used as backdoors for attackers.
An in-depth breakdown of how this trojan dropper operates, as well as a list of identified Indicators of Compromise in attacks using Geppei, can be found in Symantec’s original article: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan