Hackers Abuse IIS Feature to Deploy New Frebniis Malware

A recently discovered threat to Microsoft’s Internet Information Services (IIS) involves the deployment of a new type of malware known as “Frebniss.”

This malware is being used by hackers in order to carry out stealthy commands through web requests that are transmitted through the Internet.

Symantec’s Threat Hunter Team, Broadcom Software recently made an alarming discovery related to this new malware, “Frebniis.” According to their report, this malware is currently being deployed by an unknown threat actor against targets based in Taiwan.

Microsoft IIS is a powerful software application platform used for web server functionality and web application hosting. Among its many uses, Microsoft IIS serves as a vital platform for services such as Outlook on the Web for Microsoft Exchange. 

This software platform is highly reliable and allows for easy access to web applications and services, making it a popular choice for individuals and businesses alike.

Frebniis Abuse IIS Feature

Frebniis’ method injects harmful code into the memory of iisfreb.dll, a DLL file associated with an IIS feature utilized for examining unsuccessful web page requests.

With the help of this, all HTTP requests are stealthily tracked by the malware and detect specific formats of requests from the attacker, leading to the possibility of executing remote code.

The attacker must obtain access to the Windows system that operates the IIS server using another method to apply this tactic. But, how the access was attained in this instance remains uncertain.

Symantec detected attacks where hackers exploit an IIS function named ‘Failed Request Event Buffering’ (FREB) that acquires request metadata, including IP addresses, HTTP headers, and cookies.

The injected .NET backdoor enables C# code execution and proxying without disk interaction, which renders it undetectable. A specific password parameter is looked for when the pages logon[.]aspx or default[.]aspx are requested.

Using a base64 encoded string as a second HTTP parameter, Frebniis can command and interact with other systems through the compromised IIS, which could access secured internal systems that are not publicly available.

Supported Commands

Here below we have mentioned all the commands that this malware supports:-

By exploiting the FREB component, the attacker can avoid detection by security measures, which is its significant benefit. This exceptional HTTP backdoor does not produce suspicious system processes, files, or traces.

While the exact route of the initial compromise is uncertain, but, it’s strictly advisable to update your software on an immediate basis to mitigate the risk of threat actors exploiting vulnerabilities that are already known.

In this case, monitoring the network traffic of a company’s network with the help of sophisticated network traffic surveillance tools can also assist in detecting unusual activities on the network that may be caused by Frebniis or any other malware.

Network Security Checklist – Download Free E-Book