Researchers unearth Windows backdoor that’s unusually stealthy

A cartoon door leads to a wall of computer code.

Researchers have discovered sophisticated malware that exploits Microsoft Internet Information Services (IIS) functionality to covertly steal data from Windows systems and execute malicious code.

IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns appropriate responses. In July 2021, network intelligence company Netcraft announced that his 51.6 million instances of IIS are spread across 13.5 million unique domains.

IIS provides a feature called failed request event buffering that collects metrics and other data about web requests received from remote clients. His two examples of data that can be collected are client IP addresses and port and HTTP headers, including cookies. FREB helps her administrator troubleshoot her failed web requests by fetching from the buffer and writing to disk those that meet certain criteria. This mechanism helps determine the cause of a 401 or 404 error, or the cause of a stalled or aborted request.

Criminal hackers have found ways to abuse this FREB feature to smuggle and execute malicious code into protected areas of already compromised networks. Hackers can also use her FREB to exfiltrate data from the same protected area. Because this technique blends in with legitimate eeb requests, it provides a stealthy method of further infiltration into a compromised network.

The post-exploitation malware that enables this is called Frebniis by Symantec researchers who reported on its use on Thursday. Frebniis first checks that FREB is enabled and then hijacks FREB execution by injecting malicious code into the IIS process memory and causing it to execute. With the code in place, Frebniis can inspect every HTTP request her IIS server receives.

“By hijacking and modifying the IIS web server code, Frebniis is able to intercept the normal flow of HTTP request processing and look for specially formatted HTTP requests,” said Symantec researchers. I am writing. “These requests result in remote code execution and covert proxies to internal systems. No files or suspicious processes are running on the system, making Frebniis a relatively unique application seen in the wild. It’s a rare type of HTTP backdoor in

Before Frebniis can work, an attacker must first hack the Windows system running the IIS server. Symantec researchers have not yet determined how Frebniis does this.

Frebniis parses all HTTP POST requests that call the logon.aspx or default.aspx files. These files are used to create the login page and serve the default web page respectively. By sending her one of these requests and adding the password “7ux4398!”, an attacker can sneak a request into an infected server. as a parameter. Upon receiving such a request, Frebniis decrypts and executes .Net code that controls key backdoor functionality. To make the process more stealthy, the code does not drop files to disk.

.NET code serves two purposes. First, it provides a proxy that allows the attacker to use her compromised IIS server to interact or communicate with internal resources that are not accessible from the Internet. The following table shows the commands they are programmed to run.

Table 1. Frebniis Commands — Malware Authors Misspelled Function Names
instructions function name parameter explanation
1 Create Connect host:port Connects to a remote system for proxy and returns a UUID representing the remote system
2 read scotch wid Read Base64 string from remote system
3 light scorket Uuids, Base64 strings Write a Base64 string to a remote system
Four close scotch Wid close the connection

A second purpose of the .Net code is to allow remote execution of attacker-provided code on the IIS server. By sending a request to a logon.aspx or default.aspx file containing code written in C#, Frebniis will automatically decode it and execute it in memory. Again, executing code directly in memory makes backdoors much harder to detect.

The figure which shows the usage of Fleb Nice.

The figure which shows the usage of Fleb Nice.

Symantec

It’s not clear how widely used Hlebnice is now. The post provides two file hashes related to the backdoor, but does not explain how to search the system to see if they exist.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *