Researchers from cyber security firm named “Sygnia” has identified a highly advanced and stealthy APT group targeting Microsoft IIS webservers with ASP.net with the old exploits for backdooring the company.
Experts said that these threat actors are targeting well-known / important organizations via their publicly hosted servers for compromising the network.
The Israeli security firm has tracked this APT group with name “Praying mantis ” or “TG1021” said that “The initial foothold within the network was obtained by leveraging a variety of deserialization exploits targeting Windows IIS servers and vulnerabilities targeting web applications. The activities observed suggest that Praying Mantis is highly familiar with the Windows IIS software and equipped with zero-day exploits.” in their blog post.
Praying Mantis uses the advanced technique to stay under the radar by executing itself inside the memory as a custom fileless malware targeted for IIS servers. Additionally, the malware has two stage process to achieve its objectives.
As a first stage, the malware named “NodeIISWeb” commonly used to backdoor IIS server which also has ability to intercept and handle HTTP request received at the server end.
On Second stage, the malware helps the Praying Mantis to propagate inside the internal network along with the ability to conduct network reconnaissance, escalate privileges and for lateral movement.
“The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor
actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.” reads the report.
Researchers observed that the threat actors mostly relied on below listed deserialization vulnerabilities on the web applications on IIS servers:
- Checkbox Survey RCE exploit (CVE-2021-27852)
- VIEWSTATE Deserialization exploit (technical analysis)
- Two exploits targeting Telerik-UI for ASP.NET AJAX component (CVE-2019-18935, CVE-2017-11317)
CyberWorkx readers can checkout the IOC’s for this malware here.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1