Cybersecurity researchers have found a new malware that leverages a reputable attribute of Microsoft’s Internet Information and facts Services (IIS) to install a backdoor in specific programs.
In accordance to an advisory revealed previous Thursday by Symantec, the malware, dubbed “Frebniis,” was utilised by a formerly not known risk actor against targets in Taiwan.
“The strategy employed by Frebniis entails injecting malicious code into the memory of a [dynamic link library] DLL file […] related to an IIS function utilized to troubleshoot and review unsuccessful web site requests,” reads the specialized produce-up.
At a primary stage, IIS is a web server running on Windows systems to provide requested HTML internet pages or files. These servers can take requests from distant consumer computer systems and then return the proper response.
“IIS has a characteristic recognised as Failed Request Celebration Buffering (FREB) that collects information and specifics about requests, these types of as originating IP deal with and port, HTTP headers with cookies, and many others.,” discussed the Symantec crew.
In accordance to the security researchers, exploiting this tool enabled the malware to stealthily keep track of all HTTP requests when also instantly recognizing specifically formatted HTTP requests despatched by the attacker.
“These requests enable distant code execution [RCE] and proxying to inner programs in a stealthy way,” reads the advisory. “No data files or suspicious procedures will be operating on the procedure, making Frebniis a rather unique and scarce kind of HTTP backdoor viewed in the wild.”
The Symantec group clarified that to use this method, an attacker would need to have to get accessibility to the Windows technique operating the IIS server by some other means. In the attack explained in the advisory, the security researchers wrote that it was unclear how this accessibility was realized.
This is not the very first time Microsoft’s IIS has been used for destructive applications. Again in 2020, the tech big patched their servers just after an enhance in this form of attack.
Much more recently, Microsoft introduced patches for more than 70 CVEs, like three zero-working day vulnerabilities.
Some elements of this post are sourced from: