Cranefly Hackers Control Malware via Microsoft IIS Web Server Logs

The Cranefly group also known as UNC3524 has been seen to use a unique method of controlling their malware - by using Microsoft Internet Information Services (IIS) web server logs instead of CnC servers. Microsoft IIS web server allows users to host their websites and apps, and when any user accesses the web page, IIS will log the request which includes the user's data, for example, timestamp, source IP addresses, etc. Cranefly's recent malware "Trojan.Geppei" is controlled via IIS logs, reading commands from them by looking for the specific strings and keywords that don't usually appear in IIS logs. Read more...