Microsoft IIS Function Hijacked by ‘Frebniis’ Malware

According to Symantec, a newly discovered malware family is using Microsoft Internet Information Services (IIS) to implant a backdoor and observe all HTTP traffic to the compromised system.

 

Frebniis Abuse IIS Feature

 

Frebniis is a malicious method that inserts harmful code into the memory of iisfreb.dll, a DLL file related to an IIS feature used to review unsuccessful web page requests. This allows the malware to secretly track all HTTP requests and identify particular request formats from the attacker, which could result in remote code execution.

 

However, in order to utilize this tactic, the attacker must first gain access to the Windows system operating the IIS server using another method. It is unclear how access was obtained in this case.

 

Symantec has identified attacks where hackers exploit an IIS function called ‘Failed Request Event Buffering’ (FREB) to obtain request metadata such as IP addresses, HTTP headers, and cookies. The injected .NET backdoor allows for C# code execution and proxying without disk interaction, making it difficult to detect. When the pages logon[.]aspx or default[.]aspx are requested, the malware searches for a specific password parameter.

 

Frebniis uses a base64 encoded string as a second HTTP parameter, allowing it to issue commands and communicate with other systems through the compromised IIS. This could potentially grant access to secured internal systems that are not publicly available.

 

The newly discovered malware, Frebniis, is capable of injecting harmful code into a DLL file used by an IIS feature called Failed Request Event Buffering (FREB) to track failed web page requests. FREB collects data about HTTP headers, IP addresses, ports, and more. Symantec’s Threat Hunter Team recently found that the malware is being used against targets in Taiwan by an unknown threat actor.

 

Frebniis ensures FREB is in use and then accesses the IIS process to retrieve information on where the targeted FREB DLL (iisfreb.dll) is loaded. It then hijacks a function pointer within the DLL to replace it with its own malicious code, allowing it to stealthily receive and inspect every HTTP request to the IIS server before returning to the original function. This HTTP backdoor is capable of identifying specially formatted requests while remaining undetected on the system.

Microsoft IIS is a widely-used software application platform designed for web server functionality and hosting web applications. It is an essential platform for services such as Outlook on the Web for Microsoft Exchange, among others. Due to its reliability and ease of access to web applications and services, Microsoft IIS is a popular choice for individuals and businesses alike.

 

Frebniis is a malware that identifies HTTP requests for specific URLs, such as /logon.aspx or /default.aspx, that contain a particular password parameter. Upon finding a match, the malware decodes and executes .NET code that provides remote code execution and proxying capabilities. This allows the malware operators to interact with internal resources that are typically inaccessible from the internet and execute code directly in memory through customized HTTP requests. Symantec reports that Frebniis has been used by an unidentified threat actor to target entities in Taiwan. The malware is a unique type of HTTP backdoor that operates in a stealthy manner, leaving no trace of files or suspicious processes on the system.

 

Commands Supported by the Malware

Here below we have mentioned all the commands that this malware supports:-

By exploiting the FREB component, the attacker can avoid detection by security measures, which is its significant benefit. This exceptional HTTP backdoor does not produce suspicious system processes, files, or traces.

 

While the exact route of the initial jeapadize is uncertain, but, it’s strictly advisable to update your software on an immediate basis to mitigate the risk of cyber criminals exploiting vulnerabilities that are already known.

 

In this case, monitoring the network traffic of a company’s network with the help of sophisticated network traffic surveillance tools can likewise assist in detecting unusual activities on the network that may be caused by Frebniis or any other malware.