HQ/EMEAFind out how we can help your business
The newly discovered Frebniis malware has abused the MS IIS feature to run malicious commands without raising any suspicions from security defenders. The malware operators are still unknown but have already targeted several Taiwanese organisations.
Based on reports, the Frebniis malware abused the Microsoft IIS tool dubbed ‘Failed Request Event Buffering (FREB)’ to launch a backdoor.
The ‘Failed Request Even Buffering’ feature gathers details regarding requests, such as ports, IP address origin, and HTTP headers. Moreover, the malware is commonly used by administrators to evaluate issues related to HTTP status and request processing.
Subsequently, the malware injects malicious code into a DLL archive, enabling its operators to track all HTTP POST requests that pass through the IIS Server and recognise instructions sent by the threat actors.
The attackers could instruct the malware to run their commands by passing specific maliciously formed requests.
The Frebniis malware could also deploy additional backdoors on a targeted system.
Frebniis malware could inject a [.]NET backdoor into the system that aids C# code execution and proxying even though there is no human interaction. It receives these instructions through the parameters during execution.
If an attacker passes the value ‘7ux4398’ as a parameter in the HTTP request, it could decrypt and run the commands coded at a particular portion of the injected code. The second parameter passed in Base64 encoded string.
This parameter instructs the malware to contact and execute commands on other systems in the infected network through the compromised IIS feature. Hence, this detail could allow an attacker to breach an internal network resource that is not accessible through the internet.
Cybersecurity experts explained that the Frebniis malware does not only exploit the genuine Windows feature but also keeps most of its code in memory. Furthermore, all the interactions between the threat actors to the malware are discreet because of HTTP commands; hence, they could protect their actions from network traffic-based security solutions.
In previous years, a handful of threat actors tried to abuse the Microsoft ISS feature to interact with their backdoors elusively. These strategies could inspire other malware developers to improve this tactic and make more sophisticated campaigns.
