The Geppei dropper and the Danfuan backdoor were in the hands of the attackers.
Researchers from Symantec spoke about the new Cranefly group of cyberspies and their tools. After analyzing the activities of the attackers, the experts found the Danfuan backdoor and the Geppei dropper in their arsenal.
Geppei is using a new technique to read commands from Internet Information Services (IIS) logs to install Danfuan and other hacking tools, the researchers say. In addition, the dropper reads commands containing malicious .ashx files that are saved in an arbitrary folder specified by the command parameter and run as backdoors.
Symantec attributed this toolkit to UNC3524, aka Cranefly, which first became known in May 2022. Then the attackers massively collected the emails of victims involved in mergers, acquisitions and other financial transactions.
The hallmark of this group is QUIETEXIT, a backdoor installed on network devices that do not support antiviruses or do not detect threats at endpoints, which allows attackers to stay online for a very long time without being noticed.
According to Symantec, Cranefly was not seen stealing data from victims' devices, despite being on infected networks for up to 18 months. Summing up, experts called Cranefly an experienced gang of hackers who use special tools for attacks and actively cover their tracks.
Comments 0