Share this article on:
Security researchers have noted a new piece of malware that can install a backdoor just by making an HTTP request.
Dubbed Frebniis by Symantec’s Threat Hunter Team, the malware has been employed against targets in Taiwan by an unidentified threat actor.
Frebniis takes advantage of an IIS feature called Failed Request Event Buffering (or FREB), which usually collects information about where HTTP requests are coming from; the associated Failed Request Tracing feature can look at why a request may be failing.
The malware hijacks a function that compares failed requests to Failed Request Tracing rules and injects malicious code into the process memory of IIS. By doing so, Frebniis can track every HTTP request to the infected server, and since it only runs in memory, it can do so very stealthily.
The injected code then looks for any HTTP requests with a particular parameter password, which triggers a section of the code to run a .NET executable, which is the main backdoor itself. A second HTTP parameter then enables remote code execution via a proxy.
“The proxy is used to send and receive Base64 encoded data from other computer systems,” Symantec’s researchers said in a blog post. “This allows the attackers to communicate with internal resources that may normally be blocked from the internet via the compromised IIS server.”
And, again, the whole process happens without any processes actually running on the infected system, nor any files installed or altered. However, the Threat Hunter Team does note that some access is required to a network to install the initial code.
“In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means,” Symantec’s researchers note.
“In this particular case, it is unclear how this access was achieved.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.