Hackers use Microsoft IIS web server logs to control malware

07 November 2022

The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs.

Microsoft Internet Information Services (IIS) is a web server that allows hosting websites and web applications. It’s also used by other software such as Outlook on the Web (OWA) for Microsoft Exchange to host management apps and web interfaces.

Like any web server, when a remote user accesses a webpage, IIS will log the request to log files that contain the timestamp, source IP addesses, the requested URL, HTTP status codes, and more.

These logs are typically used for troubleshooting and analytics, but a new report by Symantec shows that a hacking group is utilizing the novel technique of using IIS logs to send commands to backdoor malware installed on the device.

Malware commonly receives commands through network connections to command and control servers. However, many organizations monitor network traffic to find malicious communication.

On the other hand, web server logs are used to store requests from any visitor worldwide and are rarely monitored by security software, making them an interesting location to store malicious commands while reducing the chances of being detected.

This is somewhat similar to the technique of hiding malware in Windows Event Logs, seen in May 2022, used by threat actors to evade detection.

Researchers who discovered this new tactic say it’s the first time they observed it in the wild.

For a group of skillful cyberspies like Cranefly, spending 18 months in compromised networks, evading detection is a crucial factor in their malicious campaigns.

 

New trojan for new tricks

Researcher discovered a new dropper used by Cranefly, named "Trojan.Geppei," which installs "Trojan.Danfuan," a previously unknown malware.

Geppei reads commands directly from the IIS logs, looking for specific strings (Wrde, Exco, Cllo) that are then parsed to extract commands and payloads.

"The strings Wrde, Exco, and Cllo don't normally appear in IIS log files," explains by researcher.

"These appear to be used for malicious HTTP request parsing by Geppei; the presence of these strings prompts the dropper to carry out activity on a machine."

Geppei's primary function 

Depending on the string found in the IIS log, the malware will install additional malware ('Wrde' string), execute a command ('Exco' string), or drop a tool that disables IIS logging ('Cllo' string).

For example, if the HTTP request contains the "Wrde" string, Geppei drops a ReGeorg webshell or a previously undocumented Danfuan tool in a specified folder.

ReGeorg is a documented malware that Cranefly uses for reverse proxying, while Danfuan is a newly discovered malware that can receive C# code and compile it dynamically on the host's memory.

If the request contains the "Exco" string, the backdoor decrypts and launches an OS command on the server.

Finally, the "Cllo" string calls the clear() function that drops a hacking tool named "sckspy.exe," which disables event log logging on the Service Control Manager.

The clear function

Cranefly uses this stealthy technique to maintain a foothold on compromised servers and silently gather intelligence.

This tactic also helps evade tracking by law enforcement and researchers, as the attackers can deliver commands through various means like proxy servers, VPNs, Tor, or online programming IDEs.

It is unknown how long the threat actors might have been abusing this method in their attacks or how many servers have been compromised. 

While many defenders are likely already monitoring IIS logs for signs of web shells, those routines may need to be tweaked to also search for the command strings used in this campaign.

 

 

Related News

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 Mar 2024

The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

Read More

Proactive Ransomware Mitigation

15 Mar 2024

A ransomware attack has a direct impact on a business’s bottom line. Ransomware payments nearly doubled from 2022 to 2023 to $1.5 million14, and the average total cost of a data breach disclosed by the attacker has risen to $5.2 million15.

Read More