Researchers have discovered a new malware that leverages a legitimate feature of Microsoft’s Internet Information Services (IIS) to install a backdoor in targeted systems. The malware, dubbed Frebniis, was used against targets in Taiwan.
IIS is a web server running on Windows systems to serve requested HTML pages or files. These servers can accept requests from remote client computers and then return the appropriate response.
The technique used by Frebniis involves injecting malicious code into the memory of a DLL file related to an IIS feature used to troubleshoot and analyze failed web page requests.
IIS has a feature known as Failed Request Event Buffering (FREB) that collects data and details about requests, such as originating IP address and port, HTTP headers with cookies. Exploiting this tool enabled the malware to stealthily monitor all HTTP requests while also automatically recognizing specially formatted HTTP requests sent by the attacker.
These requests allow remote code execution and proxying to internal systems in a stealthy manner. No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.
To utilize this method, an attacker would need to gain access to the Windows system running the IIS server by some other means.
This research was documented by researchers from Symantec.
Indicators of Compromise