Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft IIS Servers?
August 5, 2021

How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft IIS Servers?

How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft Iis Servers

Israeli cybersecurity firm Sygnia reported a new highly capable and persistent threat actor doubled Praying Mantis or TG2021 launched advanced memory-resident attacks on Microsoft IIS servers of major high-profile public and private entities in the US. Lets see who is behind the attacks, on whom the attacks were launched, and at last, how to prevent Advanced Memory Resident Attacks. 

Table of Contents

Victims Of Advanced Memory Resident Attacks:

According to the report, The threat actor, operating almost completely in memory. The threat actors mostly targeted Windows internet-facing servers to load a completely volatile, custom malware platform tailored for the Windows IIS environment in the US.

Who Is behind Advanced Memory Resident Attacks?

The research organization named the advance persisted attacker Praying Mantis or TG2021. Based on the Tactics, Techniques, and Procedures (TTPs) used in the attack were similar to those of Copy-Paste Compromises nation-sponsored actor, Please check the 

 released by the Australian Cyber Security Centre (ACSC).

Vulnerabilities Used Targeting IIS Servers:

The actor leveraged a variety of exploits targeting internet-facing Microsoft IIS servers to gain initial access. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications to execute a sophisticated memory-resident malware that acts as a backdoor. The malware is known as the NodeIISWeb malware. Let see the identified vulnerabilities used to exploit to deploy the NodeIISWeb malware.

#1. Checkbox Survey RCE Exploit (CVE-2021-27852)

A 0-day vulnerability is associated with the insecure implementation of the deserialization mechanism within the Checkbox Survey web application. This vulnerability enables attackers to execute remote code execution (RCE) on the target resulting in the initial compromise of an IIS server. 

#2. VIEWSTATE Deserialization Exploit:

The threat actor also leveraged and exploited the standard VIEWSTATE deserialization process to regain access to compromised machines. VIEWSTATE is a mechanism in .NET used to maintain and preserve web page session data between a client and a server. 

By Sygnia, a Israeli based cybersecurity firm.

#3. Altserialization Insecure Deserialization:

Fig #1. Altserialization Insecure Deserialization

ASP.NET allows web applications to store user sessions in a session object to be used later. The application saves the serialized .NET session object to an MSSQL database and assigns it to a cookie. When the user tries browsing the application again with the cookie, the session state is loaded and deserialized. The vulnerability enables to craft a malicious serialized object and writes to the database, leading to remote code execution on a web application server if the implanted cookie is passed in an HTTP request.

#4. Telerik-UI Exploit (CVE-2019-18935, CVE-2017-11317):

A suite of UI components for web applications was found to be vulnerable due to weak encryption, enabling a malicious actor to upload a file and/or to run malicious code. TG1021 used this vulnerability to upload a web shell loader on the targets, which is used to upload additional malware modules in the later phases.

How To Prevent Advanced Memory Resident Attacks By Praying Mantis?

Prevention is the best way to protect. Please go through these points which would help preventing Advanced Memory Resident Attacks on your IIS servers.

  • View State data is removed from version 7.0. Use Checkbox Survey 7.0 or above. which doesnt contain the vulnerability.

  • Use newer versions of .NET to enforce encryption and validation of the VIEWSTATE data, which offers protection against this kind of exploit.

  • Always keep the encryption and validation keys safe. if the encryption and validation keys are stolen, Attackers bypass the integrity check mechanism and eventually execute malicious code on the IIS server.

  • Upgrade Telerik to R3 2019 SP1 (v2019.3.1023) or later.

  • Refer Teleriks RadAsyncUpload security guide.

  • Configure the control according to the recommended security settings.

Indicators Of Compromise Of Advanced Memory Resident Attacks:

Default.aspx (Loader web shell)


PSRunner.dll (Memory Resident)

PotatoEx.dll (Memory Resident)

ExtDLL.dll (Memory Resident)

WebTunnel.dll (Memory Resident)

AssemblyManager.dll (Memory Resident)


Malicious HTTP Identifiers:
User-agent hard-coded in the tools
HTTP parameter and cookie AESKey

Please go here to download the original

for detailed information. Thanks for reading this post. Please share this and help to save the digital world.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription