Symantec, by Broadcom Software, has discovered a previously undocumented dropper that is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs.
The dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly (aka UNC3524), to install another piece of hitherto undocumented malware (Trojan.Danfuan) and other tools. The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks.
Mandiant first published about Cranefly in May 2022, describing how the group was heavily targeting the emails of employees that dealt with corporate development, mergers and acquisitions (M&A), and large corporate transactions.
Read more…
Source: Symantec