Malware Targeting Microsoft IIS: What You Need to Know
Reading Time: 3 Minutes
Frebniis: The New Malware Used by Hackers to Stealthily Control IIS Servers
Hackers have developed a new malware known as ‘Frebniis’ that infiltrates Microsoft’s Internet Information Services (IIS), a popular web server software. The malware operates stealthily, executing commands sent via web requests. The Symantec Threat Hunter Team first discovered the malware and reported that an unknown threat actor is currently using it to target Taiwan-based organizations.
IIS serves as a web server and web app hosting platform for various services, including Outlook on the Web for Microsoft Exchange. In the attacks observed by Symantec, hackers exploited a feature in IIS called ‘Failed Request Event Buffering’ (FREB), which collects request metadata such as IP addresses, HTTP headers, and cookies. The purpose of FREB is to help server administrators diagnose unexpected HTTP status codes or request processing problems.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Symantec’s Threat Hunter Team Discovers Frebniis
According to Symantec, threat actors must first breach an IIS server to compromise the FREB module. However, they could not determine the initial method used to gain access. The injected code is a .NET backdoor that supports proxying and C# code execution without ever touching the disk, making it entirely stealthy. The malware looks for requests made to the logon.aspx or default.aspx pages with a specific password parameter. A second HTTP parameter, which is a base64-encoded string, instructs Frebniis to communicate and execute commands on other systems via the compromised IIS, potentially accessing protected internal systems that are not exposed to the internet.
The malware supports various commands, as seen in the image below.
Commands sent to Frebniis via specially crafted HTTP requests (Symantec)
If an HTTP call to logon.aspx or default.aspx is received without the password parameter, but with the Base64 string, the Base64 string is assumed to be C# code that will be executed in memory. The Base64 string is decoded and then decrypted (xor 0x08) and is expected to be an XML document with the C# code to be executed in the ‘/doc’ node under the ‘data’ attribute (E.g. <doc data=C# code>).
Trending: Major Cyber Attacks of 2022
Trending: Recon Tool: SauronEye
Update Your Software and Monitor Network Traffic to Avoid the Latest IIS-Based Malware
The primary advantage of exploiting the FREB component for these purposes is evading detection from security tools. This unique HTTP backdoor leaves no traces or files and creates no suspicious processes on the system. It is unknown how threat actors gain the initial access, but updating software is generally recommended to minimize the chances of known vulnerabilities being exploited. Advanced network traffic monitoring tools may also help detect unusual activity from malware such as Frebniis.
In October 2022, Symantec discovered another malware used by the Cranefly hacking group that abused IIS logs to send and receive commands from the C2 server without raising any alarms.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
