28 July 2021

Praying Mantis APT targets Windows IIS web servers with deserialization exploits


Praying Mantis APT targets Windows IIS web servers with deserialization exploits

A new advanced persistent threat (APT) group has been observed targeting Windows IIS web servers using a variety of deserialization exploits in order to infiltrate networks of high-profile organizations in the US.

The hacker group, dubbed Praying Mantis, or TG1021, by researchers from incident response firm Sygnia, relies on a volatile and custom malware toolset built specifically for Internet Information Services (IIS) web servers to perform credential harvesting, reconnaissance and lateral movement.

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC (operations security). The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth,” the researchers wrote in their report.

In the observed attacks Praying Mantis leveraged exploits to gain access to IIS servers running outdated ASP.NET app, the hackers then used a malware framework named NodeIISWeb that acted as a backdoor.

“The NodeIISWeb malware is a .NET DLL reflectively loaded module that is injected into the w3wp.exe process of affected machines. It serves as the core component of the threat actor’s malware framework and acts as the main backdoor on a compromised IIS server,” Sygnia explained.

According to the researchers, the APT relied on several exploits targeting Windows IIS servers and vulnerabilities in web applications to gain access to the target network: Checkbox Survey RCE exploit (CVE-2021-27852), VIEWSTATE Deserialization exploit, and two exploits targeting Telerik-UI for ASP.NET AJAX (CVE-2019-18935, CVE-2017-11317).

Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021