Cybersecurity researchers at Symantec discovered a new dropper that lurks on a victims’ system for months before deploying backdoors, malware and other malicious tools. They call it “Geppei”, which is being used by Cranefly, a threat actor that was introduced in May 2022.

Symantec is claiming that Cranefly is using Geppei to spread Danduan malware – a new variant that has yet to be thoroughly analyzed.

Cranefly primarily targets the corporate environment, focusing on workers in corporate development, mergers and acquisitions, or large corporate transactions. The goal is to procure as much information as possible, which explains why the malware lurks in the background for so long.

According to the researchers, they say that the group can lurk for as long as 18 months before being discovered. The pull it off by installing backdoors on endpoints within the network that do not naturally support cybersecurity tools, antivirus software, or other similar tools. The devices include SANS arrays, load balancers, or wireless access points, according to Symantec.

Another reason they stick around for so long is due to the novel approach to get commands to Geppei. The dropper reads commands from a legitimate IIS log.

“The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks,” the researchers confirmed.

IIS logs are used to record data from IIS, such as webpages and apps. Sending commands to a compromised web server and presenting them as web access requests allows Geppei to read them as actual commands.

Cranefly are also incredibly persistent. Each time they were spotted and pushed out, they’d re-compromise the system with a “variety of machanisms” to keep the data theft campaign going.

Symantec has so far only been able to link Geppei to Cranefly. It is not known whether other threat actors are using the same approach.

Story via techradar.com