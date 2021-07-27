Windows Internet servers targeted by a new threat actor running “almost entirely in memory,” according to a new report from the Sygnia Incident Response Team.

The report states that the advanced and persistent threat actor – whom they named “Praying Mantis” or “TG1021” – mainly used deserialization attacks to load a custom, fully volatile malware platform, suitable for the job. Windows IIS environment.

“TG1021 uses a bespoke malware framework, built around a common core, tailored for IIS servers. The toolset is completely volatile, thoughtfully loaded into the memory of an affected machine, and leaves little or no trace on infected targets, ”the researchers wrote.

“The threat actor used the access provided using the IIS to conduct the additional activity, including collecting credentials, reconnaissance, and lateral movement.”

Over the past year, the company’s incident response team has been forced to respond to a number of targeted cyber intrusion attacks targeting several top organizations that Sygnia did not name.

“Praying Mantis” managed to compromise their networks by exploiting servers connected to the Internet, and the report notes that the observed activity suggests that the threat actor is very familiar with the Windows IIS platform and is equipped with exploits 0-day.

The main component, loaded on Internet-accessible IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also uses an additional stealth backdoor and several post-exploitation modules to perform network discovery, elevate privileges and move laterally within networks, the report explained.

“The nature of the activity and the general modus operandi suggest that TG1021 is an experienced stealth player, very aware of the security of operations. The malware used by TG1021 shows a significant effort to avoid detection, both actively interfering with it. logging mechanisms, successfully avoiding EDRs and silently waiting for incoming connections, rather than reconnecting to a C2 channel and constantly generating traffic. “

The actors behind “Praying Mantis” were able to remove any tools residing on disk after using them, giving up persistence in exchange for stealth.

The researchers noted that the actors’ techniques resemble those mentioned in a notice of June 2020 from the Australian Cyber ​​Security Center, which cautioned against “cut-and-paste trade-offs.”

The Australian advisory said the attacks were launched by “a sophisticated state-sponsored actor” who represented “the largest and most coordinated cyber-targeting against Australian institutions the Australian government has ever observed.”

Another notice said the attacks specifically targeted Australian government institutions and businesses.

“The actor exploited a variety of exploits targeting Internet servers to gain initial access to target networks. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications and are used to execute sophisticated memory-resident malware that acts as a backdoor. says the Sygnia report.

“The threat actor uses an arsenal of web application exploits and is an expert in their execution. The speed and versatility of operations combined with the sophistication of post-exploitation activities suggests that an advanced and highly skilled actor conducted the operations. “

Threat actors exploit multiple vulnerabilities to take advantage of attacks, including a 0-day vulnerability associated with an insecure implementation of the deserialization mechanism within the “Checkbox Survey” web application.

They also exploited IIS servers and the standard VIEWSTATE deserialization process to regain access to compromised machines as well as

“This technique was used by TG1021 in order to move sideways between IIS servers within an environment. An initial IIS server was compromised using one of the deserialization vulnerabilities listed above. from there, the actor of the threat was able to carry out reconnaissance activities on a targeted ASP .NET session state MSSQL server and execution of the exploit “, notes the report.

He added that threat actors have also taken advantage of vulnerabilities in Telerik products, some of which have weak encryption.

Sygnia researchers suggested patching all .NET deserialization vulnerabilities, looking for known indicators of compromise, scanning Internet-connected IIS servers with a Yara rule set, and looking for suspicious activity on connected IIS environments. to the Internet.