This crafty malware lurks in your systems before striking

Geppei dropper has a unique way of reading commands

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Symantec have discovered a brand new dropper that lurks for months before deploying backdoors,malware, and other malicious tools.

In ablog post, the company outlined the dropper, known as Geppei, which is apparently being used by Cranefly, a threat actor that was first described by Mandiant in May 2022.

Now, Symantec claims Cranefly is using Geppei to drop, among other things, the Danfuan malware - a brand new variant that’s yet to be thoroughly analyzed.

Novel approaches

Cranefly targets, first and foremost, people working on corporate development, mergers and acquisitions, or large corporate transactions. The goal is to gather as muchintelas possible, hence the immensely long dwell time.

The researchers are saying the group can lurk around for as long as 18 months before being spotted. They manage to pull it off by installing backdoors on endpoints within the network that don’t naturally support cybersecurity tools,antivirus software, and similar. The devices include SANS arrays, load balancers, or wireless access point controllers, Symantec says.

Another reason they manage to stick around for so long is due to a novel approach to get commands out to Geppei. Apparently, the dropper reads commands from a legitimate IIS log - “the technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks,” the researchers confirmed.

These two dangerous Trojan ‘dropper’ Android apps have already been installed thousands of times>New Roblox trojan will land you with a nasty PC infection>Check out the best endpoint protection services out there

IIS logs are used to record data from IIS, such as web pages and apps. By sending commands to a compromised web server and presenting them as web access requests, Geppei can read them as actual commands.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The group also takes its persistence seriously, the researchers added. Each time the target spotted the intrusion and pushed the attackers out, they’d re-compromise it with a “variety of mechanisms” to keep the data theft campaign going.

So far, Symantec has only managed to link Geppei to Cranefly, and whether or not any other threat actors are using the same approach remains to be seen.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Evercade Alpha review: authentic countertop arcade fun