Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS).
IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains.
IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.
Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate eeb requests, it provides a stealthy way to further burrow into the compromised network.
The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server.
“By hijacking and modifying IIS web server code, Frebniis is able to intercept the regular flow of HTTP request handling and look for specially formatted HTTP requests,” Symantec researchers wrote. “These requests allow remote code execution and proxying to internal systems in a stealthy manner. No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.”
Before Frebniis can work, an attacker must first hack the Windows system running the IIS server. Symantec researchers have yet to determine how Frebniis does this.
Frebniis parses all HTTP POST requests invoking the logon.aspx or default.aspx files, which are used to create login pages and serve default web pages, respectively. Attackers can smuggle requests into an infected server by sending one of these requests and adding the password “7ux4398!” as a parameter. Once such a request is received, Frebniis decrypts and executes .Net code that controls the main backdoor functions. To make the process more stealthy, the code drops no files to disk.
The .NET code serves two purposes. First, it provides a proxy that allows attackers to use the compromised IIS server to interact or communicate with internal resources that would otherwise be inaccessible from the Internet. The following table shows the commands it’s programmed to carry out:
|1||CreateConnect||Host:Port||Connect to a remote system for proxying, returns a UUID representing the remote system|
|2||ReadScoket||Uuid||Read a Base64 string from a remote system|
|3||Writescoket||Uuid, Base64 string||Write a Base64 string to a remote system|
|4||CloseScoket||Uuid||Close the connection|
The second purpose of the .Net code is to allow the remote execution of attacker-provided code on the IIS server. By sending a request to the logon.aspx or default.aspx files that includes code written in C#, Frebniis will automatically decode it and execute it in memory. Once again, by executing the code directly in memory, the backdoor is much harder to detect.
It’s not clear how widely used Frebniis is at the moment. The post provides two file hashes associated with the backdoor but doesn’t explain how to search a system to see if they exist.