Symantec Broadcom Software uncovered a previously undocumented dropper, Trojan.Geppei, that reads commands from IIS logs to install a new backdoor (Trojan.Danfuan) and other tools. The campaign is linked—though not conclusively—to Cranefly and UNC3524, and it features PyInstaller packaging and unusual log-based command reception. Hashtags: #Geppei #Danfuan #Cranefly #UNC3524 #Regeorg #Hacktool
Keypoints
- The Cranefly actor uses a dropper Trojan.Geppei to load a new backdoor (Trojan.Danfuan) and other tools.
- Geppei reads commands from legitimate IIS logs, disguising them as web access requests to control infected hosts.
- Encoded .ashx files are downloaded and executed as backdoors, with commands saved to arbitrary folders for execution.
- Strings Wrde, Exco, and Cllo appear in IIS logs and trigger Geppei activity when parsed as commands.
- IIS 404s can carry commands because IIS logs them in the same log file by default, enabling command delivery via non-existent URLs.
- IOC set includes multiple Trojan.Geppei, Trojan.Danfuan, Hacktool, and Hacktool.Regeorg hashes and names.
<li| There is discussion of a potential link to UNC3524 via the Regeorg webshell, but this link is not definitively established.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The dropper reads commands from IIS logs and executes encoded .ashx payloads as backdoors. ‘The attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Trojan.Geppei can read them as commands.’
- [T1105] Ingress Tool Transfer – The dropper is used to install a new backdoor and other tools. ‘to install a new backdoor and other tools’
- [T1027] Obfuscated/Compressed Files and Information – Geppei uses PyInstaller, which converts Python script to an executable file. ‘The first malicious activity … uses PyInstaller, which converts Python script to an executable file.’
- [T1505.003] Web Shell – Regeorg webshell referenced in activity related to UNC3524. ‘Regeorg webshell’
- [T1036] Masquerading – Commands are disguised as web access requests in IIS logs. ‘disguising them as web access requests’
Indicators of Compromise
- [File Hash] Geppei-related hashes – 12eaac1b8dc29ba29287e7e30c893017f82c6fadb73dbc8ef2fa6f5bd5d9d84e, 981b28d7521c5b02f026cb1ba5289d61ae2c1bb31e8b256db21b5dcfb8837475, and 4 more hashes
- [File Name] Trojan.Geppei – 12eaac1b8dc29ba29287e7e30c893017f82c6fadb73dbc8ef2fa6f5bd5d9d84e
- [File Name] Trojan.Danfuan – 0b168638224589937768eb15c9ebbe795d6539d1fbe744a8f065fedd569bfc5e
- [File Hash] Hacktool – 1975bea7ca167d84003b601f0dfb95c4b31a174ce5af0b19e563cb33cba22ffa, and 1 more hash
- [File Hash] Hacktool.Regeorg – 56243c851b13218d3031ca7e5af8f2b891e139cbd6d7e3f40508e857802a1077, 0b8d024ec29619ff499e4b5024ff14451731a4e3155636a02ef5db2df0e0f0dd
- [File Hash] Trojan.Geppei (additional) – 6dcfa79948cf90b10b05b59237cf46adb09b2ce53bc2c0d38fce875eccd3a7e1, 0af8bf1fa14fe492de1cc870ac0e01fc8b2f6411de922712a206b905a10ee379
- [File Hash] Trojan.Geppei (additional) – 7d5018d823939a181a84e7449d1c50ac3eb94abf3585a2154693ef518087b95, b5a4804cf7717fda1f01f23c1c2fe99fe9473b03f0247bcc6190f17d26856844