top of page
Search
Writer's pictureStormsec

Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign

Symantec, by Broadcom Software, has discovered a previously undocumented dropper that is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs. The dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly to install another piece of hitherto undocumented malware (Trojan.Danfuan) and other tools. The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks.




ADVERSARY: Cranefly


MALWARE FAMILIES: ReGeorg, trojan.geppei, trojan.danfuan


ATT&CK IDS: T1102 - Web Service, T1562 - Impair Defenses, T1059 - Command and Scripting Interpreter, T1014 - Rootkit, T1140 - Deobfuscate/Decode Files or Information, T1564 - Hide Artifacts, T1204 - User Execution


Read More:

2 views

Comments


Commenting has been turned off.
bottom of page