Skip to main content

Israeli cybersecurity firm Sygnia reported a new highly capable and persistent threat actor doubled “Praying Mantis” or “TG2021” launched advanced memory-resident attacks on Microsoft IIS servers of major high-profile public and private entities in the US. Let’s see who is behind the attacks, on whom the attacks were launched, and at last, how to prevent Advanced Memory Resident Attacks. 

Victims Of Advanced Memory Resident Attacks:

According to the report, The threat actor, operating almost completely in memory. The threat actors mostly targeted Windows internet-facing servers to load a completely volatile, custom malware platform tailored for the Windows IIS environment in the US.

Who Is behind Advanced Memory Resident Attacks?

The research organization named the advance persisted attacker “Praying Mantis” or “TG2021”. Based on the Tactics, Techniques, and Procedures (TTPs) used in the attack were similar to those of “Copy-Paste Compromises” nation-sponsored actor, Please check the advisory released by the Australian Cyber Security Centre (ACSC).

Vulnerabilities Used Targeting IIS Servers:

The actor leveraged a variety of exploits targeting internet-facing Microsoft IIS servers to gain initial access. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications to execute a sophisticated memory-resident malware that acts as a backdoor. The malware is known as the “NodeIISWeb” malware. Let see the identified vulnerabilities used to exploit to deploy the NodeIISWeb malware.

#1. Checkbox Survey RCE Exploit (CVE-2021-27852)

A 0-day vulnerability is associated with the insecure implementation of the deserialization mechanism within the “Checkbox Survey” web application. This vulnerability enables attackers to execute remote code execution (RCE) on the target resulting in the initial compromise of an IIS server. 

#2. VIEWSTATE Deserialization Exploit:

“The threat actor also leveraged and exploited the standard VIEWSTATE deserialization process to regain access to compromised machines. VIEWSTATE is a mechanism in .NET used to maintain and preserve web page session data between a client and a server. “By Sygnia, a Israeli based cybersecurity firm.

#3. Altserialization Insecure Deserialization:

ASP.NET allows web applications to store user sessions in a session object to be used later. The application saves the serialized .NET session object to an MSSQL database and assigns it to a cookie. When the user tries browsing the application again with the cookie, the session state is loaded and deserialized. The vulnerability enables to craft a malicious serialized object and writes to the database, leading to remote code execution on a web application server if the implanted cookie is passed in an HTTP request.

See Also Step-by-Step Procedure to Install Windows 10 on A Raspberry Pi 4

#4. Telerik-UI Exploit (CVE-2019-18935CVE-2017-11317):

A suite of UI components for web applications was found to be vulnerable due to weak encryption, enabling a malicious actor to upload a file and/or to run malicious code. TG1021 used this vulnerability to upload a web shell loader on the targets, which is used to upload additional malware modules in the later phases.–6PiuvBGAU

How To Prevent Advanced Memory Resident Attacks By Praying Mantis?

Prevention is the best way to protect. Please go through these points which would help preventing Advanced Memory Resident Attacks on your IIS servers.

  • View State data is removed from version 7.0. Use Checkbox Survey 7.0 or above. which doesn’t contain the vulnerability.
  • Use newer versions of .NET to enforce encryption and validation of the VIEWSTATE data, which offers protection against this kind of exploit.
  • Always keep the encryption and validation keys safe. if the encryption and validation keys are stolen, Attackers bypass the integrity check mechanism and eventually execute malicious code on the IIS server.
  • Upgrade Telerik to R3 2019 SP1 (v2019.3.1023) or later.
  • Refer Telerik’s RadAsyncUpload security guide.
  • Configure the control according to the recommended security settings.

Indicators Of Compromise Of Advanced Memory Resident Attacks:

• Default.aspx (Loader web shell)

• NodeIISWeb.dll

• PSRunner.dll (Memory Resident)

• PotatoEx.dll (Memory Resident)

• ExtDLL.dll (Memory Resident)

• WebTunnel.dll (Memory Resident)

• AssemblyManager.dll (Memory Resident)

• ReflectiveLoadForms.dll

• Malicious HTTP Identifiers:
User-agent hard-coded in the tools –
HTTP parameter and cookie – “AESKey”

Leave a Reply