The CraneFly Hacking group, also known as UNC3524, has been seen using a novel technique where they use Microsoft Internet Information Services (IIS) web server logs to control malware. Microsoft IIS is a web server that allows for the hosting of websites and web applications; it is also used by software such as Outlook on the Web for Microsoft Exchange to host management applications and web interfaces. Like any web server, when a remote user accesses the web page, IIS will log the request to log files that contain the timestamp, source IP, and requested URL, among other information. While these logs are typically used for troubleshooting activity, CraneFly has been detected by Symantec using the IIS logs to send commands to their malware.
Many organizations are already monitoring network traffic to detect malicious communications. In contrast, IIS logs are rarely monitored by security software as they are used to store requests from any visitor worldwide, making this technique of using IIS logs to send commands an effective defense evasion tactic. This is the first time that this technique has been observed in the wild, although it is similar to a technique seen in May 2022 where Windows event logs were utilized in a similar manner.
To utilize this technique, CraneFly employs a new dropper, dubbed “Trojan.Geppei”. Geppei reads its commands directly from the IIS files, searching for specific strings such as “Wrde”, “Exco”, and “Cllo”, which are used for the parsing of malicious requests, and each have a unique function:
- Wrde: Installs additional malware
- Exco: Executes a command
- Cllo: Disables and clears IIS logs
This tactic also helps to evade tracking by researchers and law enforcement, as the attackers can deliver the commands through various means such as proxy servers, VPNs, TOR, or online programming IDEs. It is unknown how long that this technique has been employed by CraneFly.
As time progresses, threat actors continue to discover novel ways to evade detection. Now that this technique has been discovered, it seems to be quite simple to detect; modify any preexisting IIS monitoring detections to search for keywords such as “wrde”, “exo”, and “cllo”. In this case, it may be better to search IIS log files being written to temp folders, since it would be relatively easy for malware operators to change these keywords. This highlights the need for a defense in depth strategy to detect numerous different tactics on the cyber kill chain with redundancy. Implementing such a strategy would ensure that even if a new, novel tactic is not detected, another portion of the actor’s activities will still be detected post-compromise.