Cybersecurity researchers have discovered a new piece of malware that takes advantage of legitimate features of Microsoft’s Internet Information Services (IIS) to install backdoors on targeted systems.
according to Recommendation The malware, dubbed “Frebniis,” released by Symantec last Thursday was used by a previously unknown attacker against targets in Taiwan.
“The technique used by Frebniis involves injecting malicious code into memory. [dynamic link library] DLL file […] It is related to an IIS feature used for troubleshooting and analyzing failed web page requests,” read the technical article.
At its basic level, IIS is a web server that runs on your Windows system and serves requested HTML pages or files. These servers can accept requests from remote client computers and return appropriate responses.
“IIS has a feature called Failed Request Event Buffering (FREB) that collects data and details about the request, such as the originating IP address and port, and HTTP headers, including cookies. Symantec team.
According to security researchers, exploiting this tool allowed the malware to surreptitiously monitor all HTTP requests while automatically recognizing specially formatted HTTP requests sent by the attacker.
“These requests allow remote code execution [RCE] proxy to internal systems in a stealthy manner,” reads the advisory. “No files or suspicious processes run on the system, making Frebniis a relatively unique and uncommon type of HTTP backdoor found in the wild.”
The Symantec team has shown that an attacker would have to access the Windows system running the IIS server through other means in order to use this technique. In the attack described in the advisory, security researchers wrote that it was unclear how this access was achieved.
This is not the first time Microsoft’s IIS has been used for malicious purposes. Back in 2020, tech giants patched the server After this type of attack increases.
More recently, Microsoft Released patches for over 70 CVEswhich contains three zero-day vulnerabilities.
