1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This crafty malware lurks in your systems before striking

    From TechnologyDaily@1337:1/100 to All on Tue Nov 1 11:45:03 2022
    This crafty malware lurks in your systems before striking

    Date:
    Tue, 01 Nov 2022 11:24:25 +0000

    Description:
    Geppei dropper has a unique way of reading commands, and it includes IIS logs.

    FULL STORY ======================================================================

    Cybersecurity researchers from Symantec have discovered a brand new dropper that lurks for months before deploying backdoors, malware , and other malicious tools.

    In a blog post , the company outlined the dropper, known as Geppei, which is apparently being used by Cranefly, a threat actor that was first described by Mandiant in May 2022.

    Now, Symantec claims Cranefly is using Geppei to drop, among other things,
    the Danfuan malware - a brand new variant thats yet to be thoroughly
    analyzed. Novel approaches

    Cranefly targets, first and foremost, people working on corporate
    development, mergers and acquisitions, or large corporate transactions. The goal is to gather as much intel as possible, hence the immensely long dwell time.

    The researchers are saying the group can lurk around for as long as 18 months before being spotted. They manage to pull it off by installing backdoors on endpoints within the network that dont naturally support cybersecurity tools, antivirus software , and similar. The devices include SANS arrays, load balancers, or wireless access point controllers, Symantec says.

    Another reason they manage to stick around for so long is due to a novel approach to get commands out to Geppei. Apparently, the dropper reads
    commands from a legitimate IIS log - the technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date
    in real-world attacks, the researchers confirmed. Read more

    These two dangerous Trojan 'dropper' Android apps have already been
    installed thousands of times


    New Roblox trojan will land you with a nasty PC infection


    Check out the best endpoint protection services out there

    IIS logs are used to record data from IIS, such as web pages and apps. By sending commands to a compromised web server and presenting them as web
    access requests, Geppei can read them as actual commands.

    The group also takes its persistence seriously, the researchers added. Each time the target spotted the intrusion and pushed the attackers out, theyd re-compromise it with a variety of mechanisms to keep the data theft campaign going.

    So far, Symantec has only managed to link Geppei to Cranefly, and whether or not any other threat actors are using the same approach remains to be seen. Check out the best firewalls right now



    ======================================================================
    Link to news story: https://www.techradar.com/news/this-crafty-malware-lurks-in-your-systems-befor e-striking/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)