{"id":77873,"date":"2022-11-13T09:42:04","date_gmt":"2022-11-13T01:42:04","guid":{"rendered":"https:\/\/x-phy.com\/?p=77873"},"modified":"2025-10-02T06:56:40","modified_gmt":"2025-10-02T06:56:40","slug":"new-stealth-techniques-used-by-cranefly-espionage-hackers","status":"publish","type":"post","link":"https:\/\/x-phy.com\/new-stealth-techniques-used-by-cranefly-espionage-hackers\/","title":{"rendered":"New Stealth Techniques used by Cranefly Espionage Hackers"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"77873\" class=\"elementor elementor-77873\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6938076 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6938076\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-929cfac\" data-id=\"929cfac\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e493549 elementor-widget elementor-widget-text-editor\" data-id=\"e493549\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tWeb-based cybersecurity attackers use \u201cstealthier techniques\u201d which are not as \u201cnoisy\u201d as active attacks, making it easier to continue undetected for a longer period of time. Stealthy techniques are employed by malware developers which utilize various mechanisms to avoid detection. It takes its name from the term stealth, which describes an approach to doing something while avoiding notice. Once injected into a computer, the stealthier techniques enable the malware to operate and gain control over parts of the system or the entire system without issuing any alerts or notifying the user of its presence.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed2fd5c elementor-widget elementor-widget-text-editor\" data-id=\"ed2fd5c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A news report broadcasted by <a href=\"https:\/\/thehackernews.com\/2022\/10\/researchers-uncover-stealthy-techniques.html\" target=\"_blank\" rel=\"noopener\">the hacker news<\/a> outlines the Sealthy Techniques revealed by researchers from Symantec which are being utilized by Cranefly Espionage Hackers. The Cranefly Espionage hackers group is recognized for attacking bulk email collections of employees that worked in corporate development, mergers, acquisitions and large corporate transactions. Initial analysis appeared to show a link between the toolset of Cranefly activity and that of a group called UNC3524 which surfaced for the first time in May 2022. These attackers spent at least 18 months on victim networks without retreating data and used <a href=\"https:\/\/x-phy.com\/glossary\/backdoor-attacks\/\">backdoors<\/a> on appliances that didn\u2019t support security tools to remain undetected.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6559e02 elementor-widget elementor-widget-text-editor\" data-id=\"6559e02\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe Cranefly malware installs another piece of undocumented malware which is a new backdoor known as Trojan.Danfuan and other tools. The previously undocumented malware is being distributed through the Geppei dropper using the new technique of reading commands from apparently innocuous Internet Information Services (IIS) logs.  IIS logs are meant to record data from IIS, such as web pages and apps. Geppei and Danfuan aid the Cranefly&#8217;s cyber rigidity. Geppei reads commands from a legitimate IIS log and the attackers can send commands to a compromised web server by disguising them as web access requests. IIS logs them as normal but Trojan.Danfuan can read them as commands. The commands contain malicious encoded .ashx files which are saved to an arbitrary folder determined by the command parameter and  run as backdoors. The unprecedented Danfuan trojan is a dynamic code compiler that compiles and executes received C# code including a web shell called reGeorg exercised also by other actors like APT28, DeftTorero, and Worok.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-06251c2 elementor-widget elementor-widget-text-editor\" data-id=\"06251c2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThe group of Canefly attackers stands out from typical attack groups with a particularly long dwell time utilizing its key malware strain; QUIETEXIT which is a backdoor deployed on network appliances that do not endorse endpoint detection, such as load balancers and wireless access point controllers. Symantec warned that the employment of a novel technique alongside customized tools and the steps taken to masquerade their activity emphasize on the notion that the Cranefly is indeed a &#8220;fairly skilled&#8221; hacking group with an incentive of intelligence gathering.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e4251b3 elementor-widget elementor-widget-text-editor\" data-id=\"e4251b3\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The ever growing scope of expanding attack surfaces is of particular concern in today\u2019s dynamic threat landscape. Cybersecurity resilience from attacks like Cranefly using stealthy techniques involves the continuous discovery, inventory, classification, prioritization, security monitoring and visibility into the systems to identify&nbsp;<a href=\"https:\/\/x-phy.com\/solutions\/zero-trust\/\" target=\"_blank\">cyber threats&nbsp;<\/a>that could facilitate data breaches and data leaks.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Web-based cybersecurity attackers use \u201cstealthier techniques\u201d which are not as \u201cnoisy\u201d as active attacks, making it easier to continue undetected for a longer period of time. Stealthy techniques are employed [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":77907,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-77873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trends-and-developments"],"_links":{"self":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/77873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/comments?post=77873"}],"version-history":[{"count":1,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/77873\/revisions"}],"predecessor-version":[{"id":110286,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/posts\/77873\/revisions\/110286"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/media\/77907"}],"wp:attachment":[{"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/media?parent=77873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/categories?post=77873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/x-phy.com\/wp-json\/wp\/v2\/tags?post=77873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}