Go to listing page

New Frebniis Malware Abuses IIS Features for Secret Communications

New Frebniis Malware Abuses IIS Features for Secret Communications
A new malware, named Frebniis, has been spotted abusing Microsoft’s IIS feature to execute malicious commands without raising any red flags on the security radar. It has been used by an unknown attacker to target organizations in Taiwan.

Frebniis abuses IIS 

Symantec's Threat Hunter Team has identified the malware, dubbed Frebniis, that abuses the Microsoft IIS feature called Failed Request Event Buffering (FREB) to establish a backdoor.
  • FREB collects information about requests, such as the origination IP address, ports, and HTTP headers, among others.  It is usually used by administrators to troubleshoot problems related to HTTP status and request processing.
  • The malware injects malicious code into a DLL file, allowing them to track all HTTP POST requests passing through the IIS Server and recognize specific instructions sent by the attacker.
  • By passing specific malformed requests, attackers can, thus, instruct the malware to execute desired actions.

Additional technical details

The malware injects a .NET backdoor into the system, that supports C# code execution and proxying, without the need for any human interaction.
  • The instructions are provided to the malware via the parameters passed to it during execution. 
  • If the value 7ux4398! is passed as a parameter (by the attacker) in the HTTP request, it decrypts and executes the commands written at a specific section of the injected code.
  • The second parameter passed is Base64 encoded string, which instructs the malware to communicate and execute commands on other systems in that network via the compromised IIS. 
  • This allows the attacker to access internal network resources that are not exposed to the internet.

All the instructions are passed to the malware at runtime, and no files are saved on the disk, which keeps the backdoor completely stealthy.

Ending notes 

Frebniis malware does not just abuse the genuine Windows feature, it keeps most of its code entirely in memory. Moreover, all the interactions are made stealthily via HTTP commands, protecting it from network traffic-based security solutions as well. In the past, another malware dubbed Cranfly has attempted to abuse IIS features to stealthily interact with the backdoor. Such tactics may provoke other malware developers to implement similar stealth tactics.
Cyware Publisher

Publisher

Cyware