Frebniis malware abuses Microsoft IIS function to create a backdoorSecurity Affairs | Tech Opolis

Consultants detected malware known as Frebniis that abuses a Microsoft IIS function to implement a backdoor and monitor all HTTP visitors to the system.

Broadcom Symantec researchers have detected a brand new malware, tracked as Frebniis, that abuses Microsoft Web Data Companies (IIS) to deploy a backdoor and monitor all HTTP visitors to the contaminated system, Symantec stories.

The malicious code was utilized in assaults in opposition to targets in Taiwan by a at the moment unknown risk actor.

Frebniis works by injecting code into the reminiscence of iisfreb.dll, which is utilized by IIS’s Request Failed Occasion Buffering (FREB) function to troubleshoot failed requests.

“The method utilized by Frebniis consists of injecting malicious code into the reminiscence of a DLL file (iisfreb.dll) associated to an IIS perform used for troubleshooting and analyzing failed net web page requests. This enables the malware to stealthily monitor all HTTP requests and acknowledge specifically formatted HTTP requests despatched by the attacker, permitting distant code execution.” learn the report printed by Symantec. “To make use of this method, an attacker wants to achieve entry to the Home windows system operating the IIS server by another means. On this specific case, it’s not clear how this entry was achieved.”

The IIS Failed Request Occasion Buffering (FREB) function collects knowledge and particulars about requests, similar to HTTP headers with cookies, the supply IP tackle and port, and so forth.

A function known as Failed Request Hint can be utilized to troubleshoot IIS failed requests. Frebniis ensures that request-failure monitoring is enabled as a part of the assault, then accesses the reminiscence of the w3wp.exe (IIS) course of, acquiring the tackle the place the request-failed-event buffering code (iisfreb.dll) is loaded ).

Having obtained the code begin tackle for the perform, the Frebniis malware appears to be like from there for a perform pointer desk to hijack code execution and obtain execution of its malicious code.

“The authors of Frebniis have decided that iiscore.dll calls a selected perform pointer inside iisfreb.dll at any time when an HTTP request is made to IIS from an online shopper.” report continues. “Frebniis hijacks this perform by injecting its personal malicious code into the IIS course of reminiscence after which changing this perform pointer with the tackle of its personal malicious code.”

Frebniis parses all requests for /logon.aspx or /default.aspx with a selected parameter password, permitting it to decrypt and execute .NET code when a password match is discovered.

The malicious code parses all HTTP POST requests obtained for /logon.aspx or /default.aspx together with a parameter password set to ‘7ux4398!’. By matching the password, the malware decrypts and executes the principle backdoor contained in a piece of the injected code. The again door is a .NET executable code. The consultants identified that the malware doesn’t save executables to disk, making it utterly stealthy.

The backdoor implements proxy performance and distant code execution.

The code supplies proxy and distant code execution capabilities, permitting malware operators to speak with inside assets which might be usually blocked from accessing the Web, in addition to execute code immediately in reminiscence utilizing crafted HTTP requests.

“These requests enable distant code execution and transmission to inside programs in a stealthy method. No suspicious information or processes will likely be executed on the system, making Frebni a comparatively distinctive and uncommon kind of HTTP backdoor seen within the wild,” concludes Symantec.

The cybersecurity firm says that Frebniis has been utilized by an unknown risk actor in assaults focusing on entities in Taiwan.

Observe me on twitter: @safetyissues and Fb and Mastodon

Pierluigi Paganini

(Safety Points – piracy, Frebniis)

---

share on