Ordinary web access request or command to malware?
A threat group that targets corporate emails is delivering dropper malware through a novel technique that uses Microsoft Internet Information Services logs to send commands disguised as web access requests.
"The technique of reading commands from ISS logs is not something Symantec researchers have seen being used to date in real-world attacks," the researchers from Symantec's Threat Hunter Team write in a recentCranefly was first described by Mandiant, when the team outlined the operations of a group it calledGeppei uses PyInstaller in the attacks, converting Python script to an executable file, they say. IIS logs are used to record such IIS data as web pages and apps.
The group uses the strings Wrde, Exco, and CIIo for malicious HTTP requests parsed by Geppei. The presence of the strings apparently prompts the dropper to do its work on a compromised Microsoft machine. Cranefly can use a dummy or non-existent URL to send commands because IIS logs 404s in the same log file by default.
It also drops the Danfuan trojan, another undocumented piece of malware that compiles and executes received C# code and apparently is based on .NET dynamic compilation technology. This type of code isn't created on disk but exists in memory, the Symantec researchers say.
Belgique Dernières Nouvelles, Belgique Actualités
Similar News:Vous pouvez également lire des articles d'actualité similaires à celui-ci que nous avons collectés auprès d'autres sources d'information.
Liz Truss's phone hacked by Russian spies for top secret information, it is claimedThe spies reportedly gained access to sensitive information, including discussions about the Ukraine war with foreign officials
Lire la suite »
Police appealing for information about missing woman with links to Burnley, Preston and BlackburnPolice are appealing for information about a missing woman with links to Burnley, Preston and Blackburn.
Lire la suite »
After Pregnant Cow Is Fatally Shot at NH Farm, Police Seek InformationA pregnant cow died, along with her unborn calf, after being shot at a farm in Weare, New Hampshire, on Sunday, according to the farm’s owner. The New Hampshire Fish and Game Law Enforcement Division is asking for information on who shot the animal. “You must have skipped Hunter Safety classes, where they teach you to be absolutely sure of…
Lire la suite »
Appeal for information as blue plaque could honour former Preston North End player Arthur WhartonAn appeal is being made by PrestonHistSoc for information about the world's first black professional footballer and former Preston North End player Arthur Wharton
Lire la suite »
The EU is set to investigate the Microsoft-Activision deal in more depth, it’s claimed | VGCThe EU is reportedly set to start a more in-depth 'Phase 2' investigation into Microsoft's proposed Activision Blizzard acquisition.
Lire la suite »