Called Praying Mantis, or TG1021, by researchers at incident response company Sygnia, this group of hackers is a volatile custom malware toolset that specifically targets Internet Information Services (IIS) web servers. It focuses on avoiding detection using It performs credential harvesting, reconnaissance, and lateral movement.
In a detailed report, the Signia researchers said in a detailed report, “Given the nature of its activities and criminal methods, TG1021 is an experienced and covert actor and is very knowledgeable about OPSEC (Operational Security). It successfully evades commercial EDR by interfering with the command and control (C&C) server and shows considerable effort to evade detection by silently waiting for connections to come in rather than continuously generating traffic. Moreover, this threat actor effectively gave up persistence in exchange for stealth by using and removing all disk-resident tools.”
In programming, serialization is the process of converting data into a stream of bytes, usually transmitted over a wire. Deserialization is the opposite of serialization and, like most data parsing operations, can be a source of vulnerability if the user controls the input. Insecure deserialization flaws have been prevalent in Java applications for many years, but Java is not the only programming language where deserialization is universal.
Old-fashioned but modern deserialization exploits
The vulnerability exploited by Framing Mantis targets the deserialization implementation within ASP.NET. ASP.NET is an open source framework for developing web apps hosted on Windows IIS web servers.
ASP.NET has a mechanism called VIEWSTATE, which is used to store the state and control of a web page when it is sent to the client during a POST request. It is stored as a hidden input field called _VIEWSTATE. When the client performs a POST operation and returns the page to the server, the VIEWSTATE is deserialized and verified. ASP.NET ensures the validity of serialized data through several security and integrity checking mechanisms, but its correct use is up to the developer’s implementation.
Framing Mantis exploited a remote code execution (RCE) vulnerability caused by insecure deserialization of an ASP.NET application called Checkbox used to fulfill user surveys. At the time of attack by this group of hackers, the flaw was in a zero-day state and affected version 6 or earlier of checkboxes that used a custom implementation of the VIEWSTATE function. Checkbox version 7 has been available since 2019 and is unaffected, however, official support for Checkbox version 6 did not end until July 1.
“Before version 7.0, checkbox surveys implemented their own VIEWSTATE function by accepting the a_VSTATE parameter, which is deserialized using a LosFormatter,” CERT/CC said in a report in May. The ASP.NET VIEWSTATE message authentication code (MAC) setting on the server is ignored because the checkbox is handled manually by the survey code. Without a MAC, an attacker could generate arbitrary code, deserialize it, and then execute arbitrary code.”
Framing Mantis had a good overall understanding of the deserialization flaw, and exploited it in several ways to propagate and persist. For example, newer versions of ASP.NET support VIEWSTATE integrity checking and encryption, but if the encryption and authentication keys are stolen or compromised, it can be used to re-infect the server or infect other servers within the same cluster hosting the same application. there is. This is because these secret keys are shared.
“During the investigation of Signia, the TG1021 hacked the IIS web server using the stolen decryption and verification key,” the researchers said. “The flow of the VIEWSTATE deserialization exploit is almost identical to the VSTATE exploit described above. It does not compress the VIEWSTATE data, but coordinates its encryption and signature.”
This group of attacks also exploited the session storage mechanism that serialization relied on. ASP.NET allows an application to store a user session as a serialized object in an MSSQL database and then assign a unique cookie. When the user’s browser visits the application again and has one of these stored cookies, the application loads the corresponding session object from the database and deserializes it.
Attackers exploited this feature to spread inside. By accessing the compromised IIS web server through the previous vulnerability, it created a malicious session object and associated cookie and stored it in the Microsoft SQL database.
It then sent a request to another IIS server belonging to the same infrastructure and using the same database, and included a malicious cookie in the request. This forced an application instance to load a maliciously crafted session object, deserialize it, and then run it on these servers, leading to remote code execution (RCE).
Framing Mantis was also found to have exploited a deserialization vulnerability in other apps. For example, CVE-2019-18935. This is an RCE flaw due to insecure deserialization in JSON parsing and affects the Telerik UI for ASP.NET AJAX.
Teleric is a suite of user interface components widely used in web applications. An exploit (CVE-2017-11317) for an old arbitrary file upload flaw affecting telerics was also used by this attack group.
These attackers exploited these RCE vulnerabilities to reflexively load a malicious DLL into the memory of a vulnerable web server. After that, the DLL loaded a malicious component the researchers called ‘NodeIISWeb’ into the w3wp.exe process. This is the IIS work process that handles web requests sent to the IIS web server for the configured IIS application pool.
Malware framework built specifically for IIS
Reflective loading is a technique that injects a malicious DLL into an existing process and links its function. The advantage of this technique is that it bypasses certain windowing mechanisms, such as registering the DLL as a module at runtime, and the file is not actually written to disk.
The downside is that the infection is not persistent. Since the malicious DLL stays only in RAM, it disappears when the parent process restarts. Because production web servers run for a long time, this is an effective technique for hiding hacks.
Instead of a reflective DLL loader, Praying Mantis sometimes uses a web shell to load NodeIISWeb. This is not a remote code execution vulnerability based on deserialization, but more common when exploiting a file upload vulnerability such as CVE-2017-11317.
This is because the web shell is a malicious web script/application that is uploaded to the server’s file system and can be accessed remotely via HTTP. Framing Mantis’ web shells are usually short-lived. This is because NodeIISWeb is uninstalled after it is deployed.
The NodeIISWeb malware can read all HTTP traffic coming to the server by connecting to the IIS input validation function. In this way, the attacker can control the malicious code by sending a request to the server that is manipulated with the specific cookie name and value that the malicious code expects and monitors.
NodeIISWeb does not create outgoing connections to the C&C server because an attacker can send commands with this HTTP mechanism. These are connections that traffic monitoring programs are likely to detect.
NodeIISWeb is used to deploy another custom Windows backdoor, commonly called ExtDLL.dll, which manipulates files and directories, gathers system information, executes DLLs, and implements various attack techniques, including code injection and token manipulation. can be used to It also connects to and manipulates various security features on the system and hides its activity. For example, AV scanning function, event log reporting function, .NET code reliability check, PowerShell related registry key, etc.
One of the additional DLL modules loaded by NodeIISWeb and ExtDLL.dll is called PSRunner.dll, which allows running PowerShell scripts on the host without spawning a PowerShell process. Also, a module called Forward.dll implements HTTP traffic forwarding function.
PotatoEx.dll is a privilege elevation tool and an Active Directory mapping tool. E.dll creates a custom HTTP response, allowing an attacker to verify that the exploit was successfully executed on the target IIS server.
Framing Mantis accessed the hacked IIS server, modified the application’s login page, captured user authentication information, and stored it in a separate file. It also deployed publicly available offensive security tools such as SharpHound and PowerSploit that load directly into memory without leaving a trace on disk.
This attack group also accessed the shared folder on the internal server through the SMB port using the hacked domain credentials.
It is not easy to detect the activity of the Fraing Mantis. This is because of the volatility of memory-resident malware and the vigilance of their security. Signia researchers scan IIS servers with YARA rules designed to patch .NET deserialization vulnerabilities, catch the signs of infection described in this report, and detect tools from this attack family, and actively track suspicious activity in the IIS environment. recommended to do
How to detect and prevent playing mantis
Validating the use of ASP.NET VIEWSTATE or a custom implementation thereof (such as a compressed VSTATE in a checkbox survey) is critical to protecting ASP.NET applications from VIEWSTATE deserialization flaws.
The enableViewStataMac variable in IIS configuration should be set to ‘True’, and the aspnet:AllowInsecureDeserialization variable should be set to ‘False’.
Registry key AspNetEnforceViewStateMac should be set to ‘1’ and encryption and verification keys should be managed carefully. Servers should use auto-generated or machine keys on the IIS server, and should be rotated regularly to reduce the likelihood of exploitation by stolen or compromised keys.
Signia said, “When ASP.NET session state is used by a web application, database access should be made only from a legitimate network location.” Generate a reasonable minimum CRUD permission. Ensure that the .NET web application is running with the specified application set ID with minimal privileges. This will create additional obstacles for the TG1021.”
In addition to Signia’s report, there are recommendations published last year by the Australian Government’s Cyber Security Center (ACSC). This includes hacking signs and attack techniques that partially overlap with the playing mantis activity observed by Signia.
The recommendation was published in response to what the ACSC at the time called a ‘continuous targeted attack on the Australian government and businesses by sophisticated state-based actors’. “This is the most serious and systematic cyberattack on an Australian institution that the Australian Government has ever observed,” the ACSC said. [email protected]
Source: ITWorld Korea by www.itworld.co.kr.
*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!