Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft IIS Servers?
August 5, 2021
|
4m

How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft IIS Servers?


How To Prevent Advanced Memory Resident Attacks By Praying Mantis On Microsoft Iis Servers

Israeli cybersecurity firm Sygnia reported a new highly capable and persistent threat actor doubled Praying Mantis or TG2021 launched advanced memory-resident attacks on Microsoft IIS servers of major high-profile public and private entities in the US. Lets see who is behind the attacks, on whom the attacks were launched, and at last, how to prevent Advanced Memory Resident Attacks. 

Table of Contents

Victims Of Advanced Memory Resident Attacks:

According to the report, The threat actor, operating almost completely in memory. The threat actors mostly targeted Windows internet-facing servers to load a completely volatile, custom malware platform tailored for the Windows IIS environment in the US.

Who Is behind Advanced Memory Resident Attacks?

The research organization named the advance persisted attacker Praying Mantis or TG2021. Based on the Tactics, Techniques, and Procedures (TTPs) used in the attack were similar to those of Copy-Paste Compromises nation-sponsored actor, Please check the 

 released by the Australian Cyber Security Centre (ACSC).

Vulnerabilities Used Targeting IIS Servers:

The actor leveraged a variety of exploits targeting internet-facing Microsoft IIS servers to gain initial access. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications to execute a sophisticated memory-resident malware that acts as a backdoor. The malware is known as the NodeIISWeb malware. Let see the identified vulnerabilities used to exploit to deploy the NodeIISWeb malware.

#1. Checkbox Survey RCE Exploit (CVE-2021-27852)

A 0-day vulnerability is associated with the insecure implementation of the deserialization mechanism within the Checkbox Survey web application. This vulnerability enables attackers to execute remote code execution (RCE) on the target resulting in the initial compromise of an IIS server. 

#2. VIEWSTATE Deserialization Exploit:

The threat actor also leveraged and exploited the standard VIEWSTATE deserialization process to regain access to compromised machines. VIEWSTATE is a mechanism in .NET used to maintain and preserve web page session data between a client and a server. 

By Sygnia, a Israeli based cybersecurity firm.

#3. Altserialization Insecure Deserialization:

Fig #1. Altserialization Insecure Deserialization

ASP.NET allows web applications to store user sessions in a session object to be used later. The application saves the serialized .NET session object to an MSSQL database and assigns it to a cookie. When the user tries browsing the application again with the cookie, the session state is loaded and deserialized. The vulnerability enables to craft a malicious serialized object and writes to the database, leading to remote code execution on a web application server if the implanted cookie is passed in an HTTP request.

#4. Telerik-UI Exploit (CVE-2019-18935, CVE-2017-11317):

A suite of UI components for web applications was found to be vulnerable due to weak encryption, enabling a malicious actor to upload a file and/or to run malicious code. TG1021 used this vulnerability to upload a web shell loader on the targets, which is used to upload additional malware modules in the later phases.

How To Prevent Advanced Memory Resident Attacks By Praying Mantis?

Prevention is the best way to protect. Please go through these points which would help preventing Advanced Memory Resident Attacks on your IIS servers.

  • View State data is removed from version 7.0. Use Checkbox Survey 7.0 or above. which doesnt contain the vulnerability.

  • Use newer versions of .NET to enforce encryption and validation of the VIEWSTATE data, which offers protection against this kind of exploit.

  • Always keep the encryption and validation keys safe. if the encryption and validation keys are stolen, Attackers bypass the integrity check mechanism and eventually execute malicious code on the IIS server.

  • Upgrade Telerik to R3 2019 SP1 (v2019.3.1023) or later.

  • Refer Teleriks RadAsyncUpload security guide.

  • Configure the control according to the recommended security settings.

Indicators Of Compromise Of Advanced Memory Resident Attacks:

Files
Default.aspx (Loader web shell)
f69d32157189945fa2bf47a690a8bd62
4f10e10050d3da0b369f6636ede18a418ecab3a0
ea463bf8e502d0ff68736afa3dcbb59c969a6dc5776c0d7d10bb282ec3b62282

NodeIISWeb.dll
de19ea6e9cdf2ac5d22a00d24898532d
0786eb857c20dedb578e181cafba81ef0a097205
562cfbab3c6c4daf3a7f81412c77d5b70402c48aed3f49066cb758742b068afd

PSRunner.dll (Memory Resident)
c8d12b90e9efd04a2c523efaef3d01d4
abd78cf430d91d07387e7305be6523249af38caa
88cb332eb82f3c086eaa33607a173cf6410bff0b9a21d6692225ffb9bbe877c6

PotatoEx.dll (Memory Resident)
92fd2e7d4dfced8c635fbcb54bb651b9
be6648ada0074cb76b5da7854c37cb784c52f989
4a41a1b8adf426959ece8ebed0fccdcd5db1124eb0686c2f590b3b93392429e6

ExtDLL.dll (Memory Resident)
6322a2a4b5dd34ecff3af22c4fac94cf
5679ada30e9cdbdfe62a05448d76e7034489945a
40b1bc34ecaddc7f08ca6399cb2a07520a7203394aa3accb1bb7d94aa21b35d6

WebTunnel.dll (Memory Resident)
3a0f85d811916f66371b9a994472667c
ba251c5f2884e2535a2178509b9065a9be969965
0d6dec29075584af62801306913430c1733882955eedcd9e9a4916b2dae4d457

AssemblyManager.dll (Memory Resident)
0bd1d822710ca4cd8612cfcd78a12155
94df55b21bbd7bb82ab269d7840a3188003e5d35
e1f3763092aa779fd291afe9aa18866658966332b13caa57d34d294120e1f608

ReflectiveLoadForms.dll
9d705f6333fc8cb3e75dde04e7a71ca4
cb84313a708723268a0608929887ad16fcf83a26
01e33b20366589b19f66ffdd560538e83fe1a63cab7f29e0a6754bcbb49ec7bb

Malicious HTTP Identifiers:
User-agent hard-coded in the tools
Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko
HTTP parameter and cookie AESKey
HTTP parameter __VSTATEGENERATOR


Please go here to download the original

for detailed information. Thanks for reading this post. Please share this and help to save the digital world.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe