'Praying Mantis' threat actor targeting Windows internet-facing servers with malware

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,165
Content source
https://www.zdnet.com/article/praying-mantis-threat-actor-targeting-windows-internet-facing-servers-with-malware/
Windows internet-facing servers are being targeted by a new threat actor operating "almost completely in-memory," according to a new report from the Sygnia Incident Response team.

The report said that the advanced and persistent threat actor -- which they have named "Praying Mantis" or "TG1021" -- mostly used deserialization attacks to load a completely volatile, custom malware platform tailored for the Windows IIS environment.

"TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers wrote.

"The threat actor utilized the access provided using the IIS to conduct the additional activity, including credential harvesting, reconnaissance, and lateral movement."

Over the last year, the company's incident response team has been forced to respond to a number of targeted cyber intrusion attacks aimed at several prominent organizations that Sygnia did not name.

"Praying Mantis" managed to compromise their networks by exploiting internet-facing servers, and the report notes that the activity observed suggests that the threat actor is highly familiar with the Windows IIS platform and is equipped with 0-day exploits.

"The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks," the report explained.

"The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of operations security. The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic."
Click to expand...
www.zdnet.com

'Praying Mantis' threat actor targeting Windows internet-facing servers with malware

A Sygnia Incident Response team report found that the advanced and persistent threat actor was operating almost completely in-memory.
www.zdnet.com www.zdnet.com
 
  • Like
  • +Reputation
Reactions: Venustus, Yanick, harlan4096 and 2 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Malware News Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT
Replies
0
Views
825
Security News
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
Replies
1
Views
1,247
News Archive
nickstar1
nickstar1
[correlate]
    • Like
Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware
Replies
0
Views
1,039
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top