AL2023_17 Microsoft IIS servers targeted with new backdoor malware (February 17, 2023)

Description  

The Symantec Threat Hunter Team recently discovered a new malware called Frebniis that is targeting Microsoft Internet Information Services (IIS) servers to deploy a backdoor onto targeted devices. 

Details 

The new malware dubbed Frebniis was observed abusing a feature of Microsoft’s IIS server to deploy a backdoor and is currently being used by an unknown threat actor or group against Taiwan-based targets. A threat actor would need access to the Windows device running the IIS server in order to abuse this feature, however, researchers were unable to pinpoint the initial attack vector used by this malware. 

Microsoft IIS is a flexible web server for Windows operating systems that is used to host, deploy and manage a variety of web applications and content. It has a feature called Failed Request Event Buffering (FREB) that is responsible for collecting data and details about requests, such as HTTP headers, cookies, IP address and port numbers. Additionally, another feature called Failed Request Tracing is used to troubleshoot failed IIS requests, determining why requests return a specific HTTP status code such as 401 or 404, or why a request is taking too long to process or responding.  

After gaining access to a Windows device, Frebniis checks if the Failed Request Tracing is enabled and accesses the ‘w3wp.exe’ IIS process memory to obtain the address of the Failed Request Event Buffering (iisfreb.dll) code. The malware targets a particular function pointer within the ‘iisfreb.dll’ code, the function is used to check if the contents of the HTTP request match the Failed Request Tracing rules. The malware hijacks this particular function by injecting malicious code into the IIS process memory and replacing the function pointer with the address of its malicious code. This allows Frebniis to stealthily receive every HTTP request sent to the IIS server before passing it back to the original function. 

The malicious code injected is used to parse all received HTTP POST requests for specific parameters in the /logon.aspx or /default.aspx pages along with a parameter password set to ‘7ux4398!’. If matching parameters are detected, it decrypts and executes the malicious code. The decrypted code is a .NET backdoor capable of proxy and remote code execution without ever touching the device’s hard disk, making it completely stealthy. The backdoor is controlled by a second HTTP parameter that is received in Base64 encoded string. These are the commands send through the second HTTP parameter: 

Command 

Function name 

Parameter 

Description 

1  

CreateConnect  

Host:Port  

Connect to a remote system for proxying, returns a UUID representing the remote system  

2  

ReadScoket  

Uuid  

Read a Base64 string from a remote system  

3  

Writescoket  

Uuid, Base64 string  

Write a Base64 string to a remote system  

4  

CloseScoket  

Uuid  

Close the connection  

The proxy function is enabled when the encoded string is Base64 decoded and decrypted to reveal the proxy command followed by expected parameters. The proxy is used to send and receive Base64 encoded data from other computer systems. This may allow the threat actors to communicate with internal systems and resources that may normally be blocked from the internet through this compromised IIS server.  

The backdoor also supports remote code execution through an XML document containing c# code. An HTTP call is made to logon.aspx or default.aspx without the password parameter in Base64 string. The Base64 string is then decoded and decrypted as an XML document with the C# code to be extracted and executed. This allows Frebniis to stealthily execute arbitrary code on the system. 

Indicators of Compromise 

Two SHA256 files hashes have been identified as IOCs for this malware. These are:  

  • b81c177c440e84635f22dc97b0411de93a24a983a41af676ffbbb4439487aaef 
  • 6464f9a5da26aa53fb2221255e908fd4da8edf0633f94051beee74a14b9b001c 

Remediation 

Since the initial attack vector is unknown at this time, it is difficult to recommend actions to prevent such. However, it is generally recommended to practice proper cybersecurity hygiene when browsing online and view and opening emails. It is also recommended to update all software to minimize the chances of threat actors exploiting vulnerabilities. Advance network monitoring tools may also be useful in detecting unusual activities from malware like the Frebniis. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: Microsoft IIS servers targeted with new backdoor malware.pdf

References