Security researchers have found that the hacking group Cranefly is deploying new techniques that leverage Internet Information Services (IIS) commands to deliver backdoors to targets. The technique has been used in intelligence gathering campaigns perpetrated by the hacking group. Security researchers at Symantec detailed the tactic, which uses a previously unidentified Trojan dubbed Geppei. The Trojan is used to install backdoors and other custom tools on SAN arrays, load balancers, and wireless access point controllers.
Symantec released a blog post discussing the technique. In the same post, researchers stated that the access point controllers targeted by Cranefly might lack appropriate security tools. The technique has not been observed in the real-world by Symantec until now, and researchers called it a clever way for the attacker to deploy commands.