'Praying Mantis' threat actor targeting Windows internet-facing servers with malware


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Windows internet-facing servers are being targeted by a new threat actor operating "almost completely in-memory," according to a new report from the Sygnia Incident Response team.

The report said that the advanced and persistent threat actor -- which they have named "Praying Mantis" or "TG1021" -- mostly used deserialization attacks to load a completely volatile, custom malware platform tailored for the Windows IIS environment.

"TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers wrote.

"The threat actor utilized the access provided using the IIS to conduct the additional activity, including credential harvesting, reconnaissance, and lateral movement."

Over the last year, the company's incident response team has been forced to respond to a number of targeted cyber intrusion attacks aimed at several prominent organizations that Sygnia did not name.

"Praying Mantis" managed to compromise their networks by exploiting internet-facing servers, and the report notes that the activity observed suggests that the threat actor is highly familiar with the Windows IIS platform and is equipped with 0-day exploits.

"The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks," the report explained.

"The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of operations security. The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic."