Hackers use Microsoft IIS web server logs to control malware

Hacking group Cranefly, aka UNC3524, uses a novel technique to control malware on infected devices through Microsoft Internet Information Services (IIS) web server logs.

Microsoft Internet Information Services (IIS) is a web server that can host websites and web applications. It is also used by other software such as Outlook on the Web (OWA) for Microsoft Exchange to host business applications and web interfaces.

Like any web server, when a remote user accesses a web page, IIS logs the request to log files containing timestamps, source IP addresses, requested URL, HTTP status codes, and more.

These logs are typically used for troubleshooting and analysis, but a new report from Symantec shows that a hacking group is using the new technique of using IIS logs to send commands to backdoor malware installed on the device.

Malware typically receives commands over network connections to command and control servers. However, many organizations monitor network traffic to detect malicious communications.

On the other hand, web server logs are used to store requests from any visitor in the world and are rarely monitored by security software, making them an attractive place to store malicious commands while reducing chances of being detected.

This is somewhat similar to the technique of hiding malware in Windows Event Logs, seen in May 2022, used by threat actors to evade detection.

The Symantec researchers who discovered this new tactic say it’s the first time they’ve seen it in the wild.

For a group of skilled cyberspies like Cranefly, previously spotted by Mandiant spending 18 months in compromised networks, evading detection is a crucial factor in their malicious campaigns.

New Trojan for new tricks

Symantec has discovered a new dropper used by Cranefly, named “Trojan.Geppei”, which installs “Trojan.Danfuan”, a previously unknown piece of malware.

Geppei reads commands directly from IIS logs, looking for specific strings (Wrde, Exco, Cllo) which are then parsed to extract commands and payloads.

“Wrde, Exco, and Cllo strings do not normally appear in IIS log files,” Symantec’s report explains.

“These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to perform some activity on a machine.”

The main function of Geppei
The main function of Geppei (Symantec)

Depending on the string found in the IIS log, the malware will install additional malware (string “Wrde”), run a command (string “Exco”), or remove a tool that disables IIS logging (string “Cllo”) .

For example, if the HTTP request contains the string “Wrde”, Geppei drops a previously undocumented ReGeorg webshell or Danfuan tool into a specified folder.

ReGeorg is documented malware that Cranefly uses for reverse proxying, while Danfuan is newly discovered malware that can receive C# code and dynamically compile it on host memory.

If the request contains the string “Exco”, the backdoor decrypts and launches an operating system command on the server.

Finally, the string “Cllo” calls the clear() function which removes a hacking tool named “sckspy.exe”, which disables event logging on the service control manager.

The clear function
The clear function (Symantec)

Cranefly uses this stealth technique to keep a foothold on compromised servers and silently gather intelligence.

This tactic also helps avoid tracking by law enforcement and researchers, as attackers can deliver commands through various means such as proxy servers, VPNs, Tor, or online programming IDEs.

It’s unclear how long hackers have been abusing this method in their attacks or how many servers have been compromised.

Although many defenders are likely already monitoring IIS logs for signs of web shells, these routines may need to be modified to also look for command strings used in this campaign.

Previous Helping Blockchain Communities Fix Bugs | MIT News
Next Microsoft shares a workaround for ongoing Outlook connection issues