A threat group that targets corporate emails is delivering dropper malware through a novel technique that uses Microsoft Internet Information Services (IIS) logs to send commands disguised as web access requests.
The dropper, dubbed Geppei, is being used by a group Symantec threat researchers call Cranefly to install other undocumented malware.
“The technique of reading commands from ISS logs is not something Symantec researchers have seen being used to date in real-world attacks,” the researchers from Symantec’s Threat Hunter Team write in a recent report.
Cranefly was first described by Mandiant, when the team outlined the operations of a group it called UNC3524.
Geppei uses PyInstaller in the attacks, converting Python script to an executable file, they say. IIS logs are used to record such IIS data as web pages and apps. The attackers are sending commands to a compromised web server disguised as web access requests.
“Geppei reads commands from a legitimate IIS log. IIS logs them as normal but Trojan.Geppei can read them as commands,” the analysts write. “The commands read by Geppei contain malicious encoded .ashx files. These files are saved to an arbitrary folder determined by the command parameter and they run as backdoors.”
The group uses the strings Wrde, Exco, and CIIo (none of which usually appear on IIS log files) for malicious HTTP requests parsed by Geppei. The presence of the strings apparently prompts the dropper to do its work on a compromised Microsoft machine. Cranefly can use a dummy or non-existent URL to send commands because IIS logs 404s in the same log file by default.
Included in the backdoors that are dropped by Geppei are ReGeorg, a known web shell that was seen being used by Cranefly by both Symantec and Mandiant. ReGeorg is publicly available on GitHub and has been used by a number of advanced persistent threat (APT) groups before, though Symantec has only linked it to Cranefly.
It also drops the Danfuan trojan, another undocumented piece of malware that compiles and executes received C# code and apparently is based on .NET dynamic compilation technology. This type of code isn’t created on disk but exists in memory, the Symantec researchers say.
“The use of a novel technique and custom tools, as well as the steps taken to hide traces of this activity on victim machines, indicate that Cranefly is a fairly skilled threat actor,” they write.
“While we do not see data being exfiltrated from victim machines, the tools deployed and efforts taken to conceal this activity, coupled with the activity previously documented by Mandiant, indicate that the most likely motivation for this group is intelligence gathering.”
Mandiant analysts write that they had been tracking the group since December 2019. According to the cybersecurity vendors, Cranefly targets the corporate emails of employees with an eye toward messages dealing with corporate development, M&A activity, and large corporate transactions.
The Mandiant researchers note that emails not only hold a lot of organizational information but are also stored in a central location, making it easier for threat groups to collect them. They also include methods for researching and accessing data in emails both on-premises and in the cloud, including eDiscovery and graph APIs, tools that cybercriminals also can use to collect information.
The threat group has been seen squatting in a target’s network for as long as 18 months and using a number of techniques to remain undetected, including installing backdoors on appliances like SAN arrays, load balancers, and wireless access point controllers, all of which don’t tend to support security tools like antivirus or endpoint protection.
The Mandiant researchers write that they saw Cranefly drop both ReGeorg and a new backdoor called QuietExit, which is based on the open-source Dropbear SSH software.
They note that while the attackers’ choice of victims suggest their motivation was financial, their ability to stay undetected well beyond the average dwell time of 21 days suggests espionage.
The research group has a list of indicators of compromise on the post. ®
Singapore’s Ministry of Health (MOH) announced on Thursday that it was finally pulling the plug on its COVID tracking program.
On February 13, the city-state’s TraceTogether (TT) program, which uses the Bluetooth radios in mobile phones to track movements, and its business check-in system SafeEntry (SE) will come to a halt.
According to the ministry’s announcement, the government had already begun stepping down TT and SE, and would no longer require infected persons to submit TraceTogether data.
“SE data is no longer being collected, and MOH has deleted all identifiable TT and SE data from its servers and databases,” said the department.
The exception is data that was controversially used off-label in a murder investigation.
The systems will remain intact – as well as registration details including name, business registration, and mobile phone number – in case there is a need for reactivation. One example given is if a more dangerous COVID-19 variant were to spread. Apps will also remain available.
The ministry told members of the public, who haven’t been required to have them since last year, that they may “uninstall their TT App, and enterprises may do the same for the SE (Business) App.”
Furthermore, those with a physical TT token, which came in handy for the non-tech savvy as a device that exchanges anonymized identifiers, were asked to return the dongle for recycling.
Singapore began developing the open source TraceTogether at the onset of the pandemic in 2020. The app constantly sought out other Bluetooth-enabled devices that ran the app and logged when they were in close proximity. The country required users to register and inform authorities if they contracted COVID-19 and used the app to draw up lists of contacts who were then isolated.
Other countries, including Australia, based their apps on the technology. While many nations seemed to flop at COVID tracking, Singapore fared somewhat better, even with similar technology. That success has been attributed to a culture willing to comply, combined with a government that modified behavior through other strict rules to keep the virus from spreading.
One example of the additional measures was tracking devices issued to travelers during a required one-week isolation after arriving.
In April, TT and SE became largely superfluous as their use was no longer mandatory except for select events. The efficacy of such systems relied on mass compliance so if some people weren’t using them, they were less effective anyway.
However, job postings for positions related to the program near that time sparked speculation that the system would remain in some form in the island nation, unlike in most other countries. Singapore’s Government Technology Agency (GovTech) told The Register in late March 2022 the job listings were merely for replacing existing employees.
Australia quit its app in August after it was deemed a massive failure. Japan followed in September, and China discontinued use of its tracking app in December. ®
Based in Co Mayo, Ovagen now plans to add 65 jobs over the next five years and hopes to see its revenue reach €42m by the end of 2027.
Irish biotech start-up Ovagen has raised €1.1m in an oversubscribed funding round led by the Halo Business Angel Network (HBAN) for its germ-free egg production business.
Ovagen, based in Ballina, Co Mayo, is a biotech company that has developed a process of producing germ-free chicken eggs intended for use in the pharmaceutical industry for products such as vaccines.
According to Ovagen, up to 20pc – or one in five – egg-based vaccine batches are destroyed because of contamination.
Overall, more than 1bn eggs are used every year as ‘bio reactors’ to develop vaccines. Viruses are injected into the eggs to propagate the virus, which vaccine manufacturers can then use to develop vaccines for diseases including the flu, yellow fever, mumps and measles.
Dr Catherine Caulfield, CEO and co-founder of Ovagen, said that current vaccines are developed using specific pathogen free eggs, which are free of many bacteria and viruses, but they are not germ-free and a significant portion become contaminated.
“Our funders have been instrumental in supporting us on our long journey to make a concept a reality,” she said.
“At critical stages in our development, our angel investors have not only provided us with their financial backing, but they have also introduced us to other potential investors, as well as their highly influential industry contacts.”
Ovagen now aims to go to market with the “world’s first germ-free egg” in what is potentially a multimillion euro industry.
“The global potential of the company’s technology is vast and that is why this is the second time HBAN syndicates have backed Ovagen,” said Declan MacFadden, an HBAN spokesperson.
“Ovagen is now in prime position to launch its product and we are excited to see the impact that this ground-breaking development has in a highly lucrative global market.”
Following the latest investment, in which the Western Development Commission and an existing shareholder also participated, the company expects to add 65 jobs (it currently has 12 staff) over the next five years, with revenues reaching €42m by the end of 2027.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
US lawmakers held a combative hearing on Wednesday with former senior staffers at Twitter over the social media platform’s handling of reporting on Joe Biden’s son Hunter Biden.
The proceedings set the stage for the agenda of a newly Republican-controlled House, underscoring its intention to hone in on longstanding and unsubstantiated allegations that big tech platforms have an anti-conservative bias.
The House oversight committee called for questioning recently departed Twitter employees including Vijaya Gadde, the social network’s former chief legal officer, former deputy general counsel James Baker, former head of safety and integrity Yoel Roth and former safety leader Anika Collier Navaroli.
The hearing centered on a question that has long dogged Republicans – why Twitter decided to temporarily restrict the sharing of a story about Hunter Biden in the New York Post, released in October 2020, the month before the US presidential election. But lawmakers on both sides of the aisle used the opportunity to interrogate moderation practices at Twitter and other tech firms.
“The government doesn’t have any role in suppressing speech,” said Republican committee chairman James Comer, hammering the former employees for censoring the Post story.
In that report, the Post said it received a copy of a laptop hard drive from Donald Trump’s then-personal attorney, Rudy Giuliani, that Hunter Biden had dropped off 18 months earlier at a Delaware computer repair shop and never retrieved. Twitter initially blocked people from sharing links to the article for several days, citing concerns over misinformation and spreading a report containing potentially hacked materials.
In opening statements on Wednesday, the former Twitter staffers described the process by which the story was blocked. While the company explicitly allowed “reporting on a hack, or sharing press coverage of hacking”, it blocked stories that shared “personal and private information – like email addresses and phone numbers” – which the Post story appeared to include. The platform amended these rules following the Biden controversy, and the then CEO, Jack Dorsey, later called the company’s communications about the Post article “not great”.
Roth, the former head of safety and integrity, said on Wednesday that Twitter acknowledged that censoring the story was a mistake.
“Defending free expression and maintaining the health of the platform required difficult judgment calls,” he said. “There is no easy way to run a global communications platform that satisfies business and revenue goals, individual customer expectations, local laws and cultural norms and get it right every time.”
Elon Musk, who purchased the company last year, has since shared a series of internal records, known as the Twitter Files, showing how the company initially stopped the story being shared, citing concerns from the Biden campaign, among other factors.
Republican theories that Democrats are colluding with big tech to suppress conservative speech have become a hot button issue in Washington, with congress members using various tech hearings to grill executives. But experts say claims of anti-conservative bias have been disproven by independent researchers.
“What we’ve seen time and again is that companies are de-platforming people who are spreading racism and conspiracy theories in violation of the company’s rule,” said Jessica J González, co-chief executive officer of the civil rights group Free Press.
“The fact that those people are disproportionately Republicans has nothing to do with it,” she added. “This is about right or wrong, not left or right.”
Musk’s decision to release information about the laptop story comes after he allowed the return of high-profile figures banned for spreading misinformation and engaging in hate speech, including the former president. The executive has shared and engaged with conspiracy theories on his personal account.
Republican lawmakers seem to have found an ally in Musk, and repeatedly praised him during Wednesday’s proceedings. The rightwing congresswoman Marjorie Taylor Greene used her time on the floor to personally attack the former Twitter employees and complain about her own account, which was suspended for violating the platform’s policies on coronavirus misinformation.
“I’m so glad you’ve lost your jobs,” she said. “I am so glad Elon Musk bought Twitter.”
But Democrats on Wednesday used their time in the House to explore how the Trump administration engaged with Twitter, revealing that the former president himself tried to interfere with content decisions.
In response to questioning from the new representative Maxwell Frost of Florida, the former Twitter content moderation executive Navaroli confirmed that in 2019 Trump tried to have an insulting tweet from internet personality Chrissy Teigen removed from the platform. In the tweet, which was read for the record, Teigen referred to Trump as a “pussy ass bitch”. Twitter denied the White House’s request, and it remains online today.
Representative Alexandria Ocasio-Cortez further sought to disprove bias against conservative speech on Twitter when she asked about an instance in 2019, when a tweet from Trump including hate speech was kept online despite violating platform policies.
The former president told Democratic congresswomen to “go back” to their countries, a clear violation of Twitter’s policies regarding abuse against immigrants, but was not penalized, Navaroli confirmed, and the rules were changed.
“So Twitter changed their own policy after Trump violated it to accommodate his tweets?” Ocasio-Cortez said. “So much for bias against the rightwing on Twitter.”
The White House has sought to discredit the Republican investigation into Hunter Biden, calling them “divorced-from-reality political stunts”. Nonetheless, Republicans now hold subpoena power in the House, giving them the authority to compel testimony and conduct an aggressive investigation.
In opening statements at Wednesday’s hearing, Democratic representative Jamie Raskin of Maryland expressed frustration that the first tech-focused panel of the session is focused on the Hunter Biden story, which he called a “faux scandal”. He said private companies under the first amendment are free to decide what is allowed on their platforms.
“Silly does not even begin to capture this obsession,” he said of the laptop story. “What’s more, Twitter’s editorial decision has been analyzed and debated ad nauseam. Some people think it was the right decision. Some people think it was the wrong decision. But the key point here is that it was Twitter’s decision.”