A recently discovered hacking group known for targeting employees dealing with corporate transactions has been linked to a new backdoor called Danfuan.
This hitherto undocumented malware is delivered via another dropper called Geppei, researchers from Symantec, by Broadcom Software, said in a report shared with The Hacker News.
The dropper “is being used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs,” the researchers said.
The toolset has been attributed by the cybersecurity company to a suspected espionage actor called UNC3524, aka Cranefly, which first came to light in May 2022 for its focus on bulk email collection from victims who deal with mergers and acquisitions and other financial transactions.
One of the group’s key malware strains is QUIETEXIT, a backdoor deployed on network appliances that do not support antivirus or endpoint detection, such as load balancers and wireless access point controllers, enabling the attacker to fly under the radar for extended periods of time.
images from Hacker News