A previously undocumented dropper has been spotted installing backdoors and other tools using the new technique of reading commands from apparently innocuous Internet Information Services (IIS) logs.
The dropper has been discovered by cybersecurity researchers at Symantec, who said an actor is using the piece of malware dubbed Cranefly (aka UNC3524) to install another piece of undocumented malware (Trojan.Danfuan) and other tools.
Cranefly was first discovered by Mandiant in May, with the security company saying the group heavily targeted emails of employees that worked in corporate development, mergers and acquisitions and large corporate transactions.
According to Mandiant, these attackers spent at least 18 months on victim networks and used backdoors on appliances that didn’t support security tools to remain undetected.
The new Symantec advisory is now saying that some of the backdoors used by UNC3524 relied on Hacktool.Regeorg, an open-source tool used by multiple advanced persistent threat (APT) clusters.
“Symantec was unable to link this activity to any known groups other than the UNC3524 group documented by Mandiant, which we track as Cranefly,” the company wrote.
Further, Symantec has warned that the use of a novel technique alongside the custom tools and the steps taken to hide their activity indicate that Cranefly is a "fairly skilled" hacking group.
“While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering.”
Symantec has provided a list of indicators of compromise (IoC) about this threat in its advisory, as well as on its Protection Bulletins page.
Another threat actor typically focusing on intelligence gathering is Polonium, which was recently seen by ESET using seven different backdoor variants to spy on Israeli organizations.