• Home
  • |
  • Blog
  • |
  • How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft IIS Servers?
how to prevent Advanced Memory Resident Attacks

Israeli cybersecurity firm Sygnia reported a new highly capable and persistent threat actor doubled “Praying Mantis” or “TG2021” launched advanced memory-resident attacks on Microsoft IIS servers of major high-profile public and private entities in the US. Let’s see who is behind the attacks, on whom the attacks were launched, and at last, how to prevent Advanced Memory Resident Attacks. 

Victims Of Advanced Memory Resident Attacks:

According to the report, The threat actor, operating almost completely in memory. The threat actors mostly targeted Windows internet-facing servers to load a completely volatile, custom malware platform tailored for the Windows IIS environment in the US.

Who Is behind Advanced Memory Resident Attacks?

The research organization named the advance persisted attacker “Praying Mantis” or “TG2021”. Based on the Tactics, Techniques, and Procedures (TTPs) used in the attack were similar to those of “Copy-Paste Compromises” nation-sponsored actor, Please check the advisory released by the Australian Cyber Security Centre (ACSC).

Vulnerabilities Used Targeting IIS Servers:

The actor leveraged a variety of exploits targeting internet-facing Microsoft IIS servers to gain initial access. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications to execute a sophisticated memory-resident malware that acts as a backdoor. The malware is known as the “NodeIISWeb” malware. Let see the identified vulnerabilities used to exploit to deploy the NodeIISWeb malware.

#1. Checkbox Survey RCE Exploit (CVE-2021-27852)

A 0-day vulnerability is associated with the insecure implementation of the deserialization mechanism within the “Checkbox Survey” web application. This vulnerability enables attackers to execute remote code execution (RCE) on the target resulting in the initial compromise of an IIS server. 

#2. VIEWSTATE Deserialization Exploit:

“The threat actor also leveraged and exploited the standard VIEWSTATE deserialization process to regain access to compromised machines. VIEWSTATE is a mechanism in .NET used to maintain and preserve web page session data between a client and a server. “

By Sygnia, a Israeli based cybersecurity firm.

#3. Altserialization Insecure Deserialization:

Fig #1. Altserialization Insecure Deserialization

ASP.NET allows web applications to store user sessions in a session object to be used later. The application saves the serialized .NET session object to an MSSQL database and assigns it to a cookie. When the user tries browsing the application again with the cookie, the session state is loaded and deserialized. The vulnerability enables to craft a malicious serialized object and writes to the database, leading to remote code execution on a web application server if the implanted cookie is passed in an HTTP request.

#4. Telerik-UI Exploit (CVE-2019-18935CVE-2017-11317):

A suite of UI components for web applications was found to be vulnerable due to weak encryption, enabling a malicious actor to upload a file and/or to run malicious code. TG1021 used this vulnerability to upload a web shell loader on the targets, which is used to upload additional malware modules in the later phases.
https://youtu.be/–6PiuvBGAU

How To Prevent Advanced Memory Resident Attacks By Praying Mantis?

Prevention is the best way to protect. Please go through these points which would help preventing Advanced Memory Resident Attacks on your IIS servers.

  • View State data is removed from version 7.0. Use Checkbox Survey 7.0 or above. which doesn’t contain the vulnerability.
  • Use newer versions of .NET to enforce encryption and validation of the VIEWSTATE data, which offers protection against this kind of exploit.
  • Always keep the encryption and validation keys safe. if the encryption and validation keys are stolen, Attackers bypass the integrity check mechanism and eventually execute malicious code on the IIS server.
  • Upgrade Telerik to R3 2019 SP1 (v2019.3.1023) or later.
  • Refer Telerik’s RadAsyncUpload security guide.
  • Configure the control according to the recommended security settings.

Indicators Of Compromise Of Advanced Memory Resident Attacks:

Files
• Default.aspx (Loader web shell)
f69d32157189945fa2bf47a690a8bd62
4f10e10050d3da0b369f6636ede18a418ecab3a0
ea463bf8e502d0ff68736afa3dcbb59c969a6dc5776c0d7d10bb282ec3b62282

• NodeIISWeb.dll
de19ea6e9cdf2ac5d22a00d24898532d
0786eb857c20dedb578e181cafba81ef0a097205
562cfbab3c6c4daf3a7f81412c77d5b70402c48aed3f49066cb758742b068afd

• PSRunner.dll (Memory Resident)
c8d12b90e9efd04a2c523efaef3d01d4
abd78cf430d91d07387e7305be6523249af38caa
88cb332eb82f3c086eaa33607a173cf6410bff0b9a21d6692225ffb9bbe877c6

• PotatoEx.dll (Memory Resident)
92fd2e7d4dfced8c635fbcb54bb651b9
be6648ada0074cb76b5da7854c37cb784c52f989
4a41a1b8adf426959ece8ebed0fccdcd5db1124eb0686c2f590b3b93392429e6

• ExtDLL.dll (Memory Resident)
6322a2a4b5dd34ecff3af22c4fac94cf
5679ada30e9cdbdfe62a05448d76e7034489945a
40b1bc34ecaddc7f08ca6399cb2a07520a7203394aa3accb1bb7d94aa21b35d6

• WebTunnel.dll (Memory Resident)
3a0f85d811916f66371b9a994472667c
ba251c5f2884e2535a2178509b9065a9be969965
0d6dec29075584af62801306913430c1733882955eedcd9e9a4916b2dae4d457

• AssemblyManager.dll (Memory Resident)
0bd1d822710ca4cd8612cfcd78a12155
94df55b21bbd7bb82ab269d7840a3188003e5d35
e1f3763092aa779fd291afe9aa18866658966332b13caa57d34d294120e1f608

• ReflectiveLoadForms.dll
9d705f6333fc8cb3e75dde04e7a71ca4
cb84313a708723268a0608929887ad16fcf83a26
01e33b20366589b19f66ffdd560538e83fe1a63cab7f29e0a6754bcbb49ec7bb

• Malicious HTTP Identifiers:
User-agent hard-coded in the tools –
“Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko”
HTTP parameter and cookie – “AESKey”
HTTP parameter – “__VSTATEGENERATOR”


Please go here to download the original report for detailed information. Thanks for reading this post. Please share this and help to save the digital world.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.