APT group hits IIS web servers with deserialisation flaws and memory-resident malware

APT group hits IIS web servers with deserialisation flaws and memory-resident malware

Praying Mantis group is likely a nation-state actor that uses custom malware and is adept at avoiding detection.

Credit: David Clode

The NodeIISWeb malware hooks into the IIS input validation functions and can read all incoming HTTP traffic to the server. This gives attackers a method of controlling the malware by sending crafted requests to the server with certain cookie names and values that the malware program expects and monitors for.

Since attackers can send instructions through this HTTP mechanism, NodeIISWeb does not generate outgoing connections to a command-and-control server that could potentially be detected by traffic monitoring solutions.

That said, the malware program implements several traffic forwarding methods for TCP, HTTP and SQL that allows it to serve as a proxy or command-and-control channel itself for other malware instances running on compromised servers inside the same network and that might not be exposed directly to the Internet. It can also execute JScript payloads and load additional DLL modules that extend its functionality.

NodeIISWeb is often used to deploy another custom Windows backdoor called ExtDLL.dll that can be used to manipulate files and directories, gather system info, load and execute DLLs and implement various attack techniques such as code injection and token manipulation.

This component also hooks into and manipulates various security functions present on the system to hide its activities, including AV scanning functions, event log reporting functions, .NET code trust checks and PowerShell related registry keys.

One of the additional DLL modules loaded by NodeIISWeb and ExtDLL.dll is called PSRunner.dll and allows running PowerShell scripts on a host without spawning a PowerShell process. Another one is called Forward.dll and implements the HTTP traffic forwarding capability.

PotatoEx.dll is a privilege escalation tool and Active Directory mapping tool and E.dll is a component that generates custom HTTP responses that allows attackers to verify that an exploit was successfully executed on a target IIS server.

Praying Mantis used its access to compromised IIS servers to modify login pages for existing applications to capture user credentials and save them in a separate file, and to deploy publicly available offensive security tools including SharpHound and PowerSploit that were loaded directly into memory without leaving traces on disk. The group was also seen accessing shared folders on internal servers over SMB by using compromised domain credentials.

Praying Mantis detection and prevention

Detecting Praying Mantis' activities is not easy because of the volatile nature of its memory-resident malware and the group's attention to operational security.

The Sygnia researchers recommend patching .NET deserialisation vulnerabilities, searching for the indicators of compromise published in their report, scanning internet-facing IIS servers with YARA rules designed to detect the group's tools and actively hunting for suspicious activity on IIS environments.

Validating the usage of ASP.NET VIEWSTATE or custom implementations of the same mechanism -- like the compressed VSTATE in Checkbox Survey -- is critical to protecting ASP.NET applications against VIEWSTATE deserialisation flaws. The enableViewStateMac variable in the IIS configuration should be set to “True” and the aspnet:AllowInsecureDeserialization variable should be set to “False”.

The registry key AspNetEnforceViewStateMac should be set to “1” and encryption and validation keys should be handled with care. Servers should use auto-generated keys or machine keys on IIS servers should be routinely rotated to reduce the likelihood of abuse via stolen or leaked keys.

"If ASP.NET session state is used by your web applications, make sure access to the database can only be done from legitimate network locations," the researchers said.

"Separate session state MSSQL databases between different IIS servers/web applications as much as possible or create different SQL users with proper minimal CRUD permissions. Make sure your .NET web applications are running with a designated application pool identity with the lowest privileges possible. This would create an additional obstacle for TG1021."

In addition to the Sygnia paper, there's an advisory published by the Australian government's Cyber Security Center (ACSC) last year that contains indicators of compromise and attack techniques that partially overlap with the Praying Mantis activities observed by Sygnia.

The advisory was posted in response to what ACSC called at the time "a sustained targeting of Australian governments and companies by a sophisticated state-based actor" that represented "the most significant, coordinated cybertargeting against Australian institutions the Australian Government has ever observed."

Show Comments