28 July 2021

Praying Mantis APT targets Windows IIS web servers with deserialization exploits


Praying Mantis APT targets Windows IIS web servers with deserialization exploits

A new advanced persistent threat (APT) group has been observed targeting Windows IIS web servers using a variety of deserialization exploits in order to infiltrate networks of high-profile organizations in the US.

The hacker group, dubbed Praying Mantis, or TG1021, by researchers from incident response firm Sygnia, relies on a volatile and custom malware toolset built specifically for Internet Information Services (IIS) web servers to perform credential harvesting, reconnaissance and lateral movement.

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC (operations security). The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth,” the researchers wrote in their report.

In the observed attacks Praying Mantis leveraged exploits to gain access to IIS servers running outdated ASP.NET app, the hackers then used a malware framework named NodeIISWeb that acted as a backdoor.

“The NodeIISWeb malware is a .NET DLL reflectively loaded module that is injected into the w3wp.exe process of affected machines. It serves as the core component of the threat actor’s malware framework and acts as the main backdoor on a compromised IIS server,” Sygnia explained.

According to the researchers, the APT relied on several exploits targeting Windows IIS servers and vulnerabilities in web applications to gain access to the target network: Checkbox Survey RCE exploit (CVE-2021-27852), VIEWSTATE Deserialization exploit, and two exploits targeting Telerik-UI for ASP.NET AJAX (CVE-2019-18935, CVE-2017-11317).

Back to the list

Latest Posts

Turla APT targets entities in US, Germany and Afghanistan with new backdoor

Turla APT targets entities in US, Germany and Afghanistan with new backdoor

The TinyTurla backdoor is used to maintain access to the target system even if the primary malware is discovered and removed.
22 September 2021
Microsoft shares details on huge BulletProofLink PHaaS

Microsoft shares details on huge BulletProofLink PHaaS

BulletProofLink has been active since 2018 and is currently advertised on underground hacker forums.
22 September 2021
US Treasury sanctions Suex cryptocurrency exchange linked to ransomware operations

US Treasury sanctions Suex cryptocurrency exchange linked to ransomware operations

The Treasury Department said that over 40 percent of Suex known transactions is associated with illegal activity.
22 September 2021