- ITDM 2025 전망 | “불경기 시대 속 콘텐츠 산업··· 기술이 돌파구를 마련하다” CJ ENM 조성철 엔터부문 CIO
- 50억 달러 피해에서 700명 해고까지··· 2024년 주요 IT 재난 8선
- Network problems delay flights at two oneworld Alliance airlines
- Leveraging Avaya Experience Platform to accelerate your digital banking transformation
- The best iRobot vacuums of 2024: Expert tested and reviewed
Cranefly Hackers Use Stealthy Techniques to Deliver and Control Malware
A previously undocumented dropper has been spotted installing backdoors and other tools using the new technique of reading commands from apparently innocuous Internet Information Services (IIS) logs.
The dropper has been discovered by cybersecurity researchers at Symantec, who said an actor is using the piece of malware dubbed Cranefly (aka UNC3524) to install another piece of undocumented malware (Trojan.Danfuan) and other tools.
Cranefly was first discovered by Mandiant in May, with the security company saying the group heavily targeted emails of employees that worked in corporate development, mergers and acquisitions and large corporate transactions.
According to Mandiant, these attackers spent at least 18 months on victim networks and used backdoors on appliances that didn’t support security tools to remain undetected.
The new Symantec advisory is now saying that some of the backdoors used by UNC3524 relied on Hacktool.Regeorg, an open-source tool used by multiple advanced persistent threat (APT) clusters.
“Symantec was unable to link this activity to any known groups other than the UNC3524 group documented by Mandiant, which we track as Cranefly,” the company wrote.
Further, Symantec has warned that the use of a novel technique alongside the custom tools and the steps taken to hide their activity indicate that Cranefly is a “fairly skilled” hacking group.
“While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering.”
Symantec has provided a list of indicators of compromise (IoC) about this threat in its advisory, as well as on its Protection Bulletins page.
Another threat actor typically focusing on intelligence gathering is Polonium, which was recently seen by ESET using seven different backdoor variants to spy on Israeli organizations.
