Windows Backdoor that’s unusually Stealthy

upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Content source
https://arstechnica.com/information-technology/2023/02/new-backdoor-targeting-windows-servers-is-ultra-stealthy/
Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS).

IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains. IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.

Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate web requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server. “By hijacking and modifying IIS web server code, Frebniis is able to intercept the regular flow of HTTP request handling and look for specially formatted HTTP requests,” Symantec researchers wrote. “These requests allow remote code execution and proxying to internal systems in a stealthy manner. No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.”

Before Frebniis can work, an attacker must first hack the Windows system running the IIS server. Symantec researchers have yet to determine how Frebniis does this.
Click to expand...
arstechnica.com

Researchers unearth Windows backdoor that’s unusually stealthy

Frebniis abuses Microsoft IIS to smuggle malicious commands in web traffic.
arstechnica.com arstechnica.com
 
  • Like
  • +Reputation
Reactions: struppigel, plat, Andy Ful and 4 others
You must log in or register to reply here.

Similar threads

lokamoka820
New Update SysGauge Updates Thread
Replies
1
Views
140
System utilities
lokamoka820
lokamoka820
upnorth
    • Like
Microsoft Exchange Servers Worldwide Hit by Stealthy New Backdoor
Replies
0
Views
858
News Archive
upnorth
upnorth
upnorth
    • Like
    • +Reputation
Cranefly Cyberspy Group Spawns Unique ISS Technique
Replies
0
Views
527
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top