Microsoft, Google, Apple, Windows, Android, iOS, Internet, Cyber Security, Hacking, Malware, Smartphone, Mobile App

Trending

Hackers backdoor Microsoft IIS servers with new Frebniis malware

Hackers are deploying a new malware named ‘Frebniss’ on Microsoft’s Internet Information Services (IIS) that stealthily executes commands sent via web requests.

Frebniis was discovered by Symantec’s Threat Hunter Team, who reported that an unknown threat actor is currently using it against Taiwan-based targets.

Microsoft IIS is a web server software that acts as a web server and a web app hosting platform for services like Outlook on the Web for Microsoft Exchange.

In the attacks seen by Symantec, the hackers abuse an IIS feature called ‘Failed Request Event Buffering’ (FREB), responsible for collecting request metadata (IP address, HTTP headers, cookies). Its purpose is to help server admins troubleshoot unexpected HTTP status codes or request processing problems.

The malware injects malicious code into a specific function of a DLL file that controls FREB (“iisfreb.dll”) to enable the attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests the attacker sends, it parses the request to determine what commands to execute on the server.

Symantec says that the threat actors first need to breach an IIS server to compromise the FREB module, but they could not determine the method used to gain access initially.

The injected code is a .NET backdoor that supports proxying and C# code execution without ever touching the disk, making it completely stealthy. It looks for requests made to the logon.aspx or default.aspx pages with a specific password parameter.

A second HTTP parameter, which is a base64 encoded string, instructs Frebniis to communicate and execute commands on other systems via the compromised IIS, potentially reaching protected internal systems that are not exposed to the internet.

The malware supports the following commands:

 

Commands sent to Frebniis via specially crafted HTTP requests
Commands sent to Frebniis via specially crafted HTTP requests (Symantec)

 

“If an HTTP call to logon.aspx or default.aspx is received without the password parameter, but with the Base64 string, the Base64 string is assumed to be C# code that will be executed straight in memory,” explains Symantec’s report.

“The Base64 string is decoded and then decrypted (xor 0x08) and is expected to be an XML document with the C# code to be executed in the ‘/doc’ node under the ‘data’ attribute (E.g. <doc data=C# code>).”

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy