Researchers have identified a sophisticated piece of malware that exploits a feature in Microsoft Internet Information Services to secretly exfiltrate data and run malicious code on Windows devices (IIS).
IIS is a general-purpose web server that works with Windows machines. It accepts requests from distant clients and responds appropriately in the role of a web server. According to network analytics company Netcraft, there were 51.6 million IIS instances scattered across 13.5 million distinct domains as of July 2021.
When a web request comes in from a remote client, IIS's Failed Request Event Buffering functionality records metrics and additional information. Two examples of the information that can be gathered are client IP addresses, port numbers, and HTTP headers with cookies. FREB extracts requests that satisfy specific requirements from a buffer and writes them to disc, assisting administrators in troubleshooting unsuccessful web requests. The approach can assist in isolating the root cause of 401 or 404 problems as well as stopped or abandoned queries.
Criminal hackers have discovered a way to take advantage of this FREB feature to sneak harmful code into secure areas of a network that has already been infiltrated and execute it there. The same protected zones' data can likewise be exfiltrated by hackers via FREB. The method offers a covert means to penetrate the hacked network because it imitates legitimate eeb requests.
Researchers from Symantec have named the post-exploit virus that makes this possible Frebniis, and they reported on its use on Thursday. Prior to hijacking FREB's execution, Frebniis first makes sure that it is enabled. Then, it introduces malicious code into the IIS process memory and makes it run. After the code is in place, Frebniis is able to examine each HTTP request that the IIS server receives.
“By hijacking and modifying IIS web server code, Frebniis is able to intercept the regular flow of HTTP request handling and look for specially formatted HTTP requests,” Symantec researchers stated. “These requests allow remote code execution and proxying to internal systems in a stealthy manner. No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.”
A hacker must first gain access to the Windows system that is running the IIS server in order for Frebniis to function. Symantec researchers have not yet discovered Frebniis' method for doing this.
Frebniis parses each HTTP POST request that uses the default.aspx or logon.aspx files, which are used to serve default web pages and generate login pages, respectively. By submitting one of these requests and including the password "7ux4398!" as a parameter, attackers can smuggle requests into a server that is infected. Frebniis decrypts and executes after receiving such a request. The primary backdoor functionalities are controlled by net code. The code leaves no files on disk in order to make the procedure more covert.
The.NET code accomplishes two tasks. First off, it gives attackers a proxy through which they can connect or communicate with internal resources that are otherwise unreachable from the Internet using the infected IIS server.
The.Net code's secondary function is to enable the IIS server to run code supplied by an attacker remotely. Frebniis will automatically decode and run any C# code that is sent as a request to the default.aspx or logon.aspx files in memory. Once more, the backdoor is significantly more difficult to find because the code is executed directly in memory.
It's unclear how popular Frebniis is right now. Although the post gives two file hashes linked to the backdoor, it doesn't describe how to check a system to determine whether they are present.
