Mysterious APT group locks down (IIS) web servers, good at evading malware detection

PrayingMantis (Mantis) is likely a nation-state hacking group that uses custom malware and excels at evading detection.

Over the past year, a sophisticated and highly likely state-backed threat actor has been exploiting a deserialization vulnerability in public-facing ASP.NET applications to deploy fileless malware, compromising some Major public and private organizations.

Researchers at incident response firm Sygnia named the group “Praying Mantis” (TG1021). The hacking group is reported to perform credential harvesting, reconnaissance and lateral movement tasks by using a custom malware toolset built for Internet Information Services (IIS) web servers. In addition to this, the group has also made great efforts to evade malware detection.

Sygnia researchers said in a detailed report:

“The nature of the activity and its modus operandi suggest that TG1021 is an experienced threat group with a high level of knowledge of OPSEC (Operational Security). The malware used by TG1021 works by actively interfering with logging mechanisms, successfully evading commercial EDR, and silently waiting for incoming connections. , instead of connecting back to the C2 channel and continuously generating traffic, showing a significant effort to avoid detection. Furthermore, the attacker actively removed all disk-resident tools after use, effectively giving up persistence in exchange for stealth sex.”

New and old deserialization exploits

In programming, serialization is the process of converting data into a stream of bytes, usually transmitted over a network. Deserialization is the reverse of the process, and like most data parsing operations in software, it can be a source of vulnerability if the user controls the input. Insecure deserialization vulnerabilities have plagued Java applications for years, but Java isn’t the only programming language commonly used for deserialization.

The vulnerability exploited by Praying Mantis is aimed at the deserialization implementation in ASP.NET, an open-source framework for developing web applications hosted on Windows IIS web servers. ASP.NET has a mechanism called “VIEWSTATE” that the framework uses to store the state and controls of a web page when sent to the client during a POST request. It is stored as a hidden input field named “_VIEWSTATE”. When the client performs a POST operation and sends the page back to the server, the VIEWSTATE is deserialized and validated. ASP.NET provides some security and integrity checking mechanisms to ensure that serialized data is valid, but their proper use comes down to the developer’s implementation.

Researchers have discovered that Praying Mantis exploits a Checkbox Survey remote code execution (RCE) vulnerability (CVE-2021-27852), the Checkbox app that allows website owners to conduct user surveys. It is reported that at the time of the attack, the RCE vulnerability was still in a 0-day state and affected Checkbox V6 and earlier versions. Although Checkbox V7 has been available and unaffected since 2019, official support for Checkbox V6 will not end until July 1.

Analysts at CERT/CC said in a May consultation:

“Prior to version 7.0, Checkbox Survey implemented its own VIEWSTATE functionality by accepting a _VSTATE parameter, which was then deserialized using LosFormatter. Since this data was handled manually by the Checkbox Survey code, the ASP.NET VIEWSTATE message authentication on the server The code (MAC) setting is ignored. Without the MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.”

The Praying Mantis group seems to have a very deep understanding of anti-sequencing vulnerabilities, and they use this mechanism in various ways for lateral movement and persistence in their attacks. For example, even though newer versions of ASP.NET support VIEWSTATE integrity checking and encryption, if encryption and authentication keys are stolen or compromised, they can be used to re-infect a server or to infect other servers in the same cluster hosting the same application , because the key is shared.

According to the researchers, “In a Sygnia investigation, TG1021 exploited stolen decryption and authentication keys to exploit an IIS web server. The flow of the VIEWSTATE deserialization exploit is almost the same as the VSTATE vulnerability explained above, with tweaks to the VIEWSTATE data is encrypted and signed, not compressed.”

The group also took advantage of a session storage mechanism that relies on serialization. ASP.NET allows applications to store user sessions as serialized objects in an MSSQL database and then assign unique cookies to them. When the user’s browser visits the application again and has saved some of these cookies, the application loads the corresponding session object from the database and deserializes it.

Attackers exploit this capability for lateral movement by using access to the IIS web server (compromised by the vulnerability described above) to generate malicious session objects and associated cookies, which are stored in a Microsoft SQL database. They then send requests to other IIS servers that belong to the same infrastructure and use the same database, and include malicious cookies in the request. This forces application instances running on these servers to load and deserialize maliciously crafted session objects from the database, resulting in remote code execution (RCE).

Researchers have also observed Praying Mantis exploiting deserialization vulnerabilities in other applications, such as CVE-2019-18935, which is also an RCE vulnerability stemming from insecure deserialization in JSON parsing, and affects a program called Telerik UI for Products for ASP.NET AJAX. Telerik is a set of user interface components widely used in web applications. Additionally, the group used another older arbitrary file upload vulnerability (CVE-2017-11317) that affects Telerik.

Malware framework tailored for IIS

Hackers exploit these RCE vulnerabilities to reflexively load malicious DLLs into the memory of vulnerable web servers. This DLL then reflectively loads a malware component. Reflective loading is a technique for injecting malicious DLLs into existing processes and hooking their functionality. The benefit of this technique is that some Windows mechanisms (such as registering the DLL as a module at runtime) are bypassed and the file is not actually written to disk; the downside is the lack of persistence of the infection, as the rogue DLL lives only in RAM , so if you restart its parent process, it will disappear. Due to the high uptime of such web servers, trading persistence for invisibility is an effective means.

In addition to the reflection DLL loader, Praying Mantis sometimes uses a web shell to load NodeIISWeb. This is more common when the group exploits a file upload vulnerability such as CVE-2017-11317 rather than a deserialization-based remote code execution vulnerability, as web shells are essentially malicious web scripts/applications uploaded to the server’s file system program, which can be accessed remotely via HTTP. Praying Mantis’ web shells are usually short-lived, and the organization removes them as soon as NodeIISWeb is deployed.

The NodeIISWeb malware hooks into the IIS input validation feature and can read all incoming HTTP traffic to the server, giving attackers a way to control the malware. Since attackers can send instructions through this HTTP mechanism, NodeIISWeb does not generate outgoing connections to command and control servers that might be detected by traffic monitoring solutions.

That is, the malware program implements multiple traffic forwarding methods for TCP, HTTP, and SQL, allowing it to act as a proxy or command and control channel itself for other malware instances running on the infected server within the same network, while These instances may not be directly exposed on the Internet. It can also execute JScript payloads and load other DLL modules that extend its functionality.

NodeIISWeb is often used to deploy another custom Windows backdoor called “ExtDLL.dll” which can be used to manipulate files and directories, collect system information, load and execute DLLs and implement various attack techniques such as code injection and tokens operate. This component also hooks and manipulates various security features present on the system to hide its activity, including antivirus scanning features, event log reporting features, and more. NET code trust checking and PowerShell related registry keys.

One of the additional DLL modules loaded by NodeIISWeb and ExtDLL.dll is called “PSRunner.dll” and it allows running PowerShell scripts on the host without spawning a PowerShell process. The other is called “Forward.dll”, which can implement HTTP traffic forwarding function. “PotatoEx.dll” is a privilege escalation tool and Active Directory mapping tool, while “E.dll” is a component that generates a custom HTTP response, allowing an attacker to verify that the exploit was successfully executed on the target IIS server.

Praying Mantis leveraged its access to the compromised IIS server to modify the login pages of existing applications to capture user credentials and save them in a separate file, also deploying publicly available offensive security tools including SharpHound and PowerSploit that load directly into memory without leaving a trace. The group was also found to be using leaked domain credentials to access shared folders on internal servers via SMB.

Praying Mantis Detection and Prevention

Due to the volatile nature of its memory-resident malware, and the group’s deep understanding of operational security, it was not easy to detect Praying Mantis’ activity. Sygnia researchers suggest patching. NET deserialization vulnerabilities, search for indicators of compromise published in reports, scan Internet-facing IIS servers using YARA rules designed to detect the organization’s tools, and actively look for suspicious activity in IIS environments.

Validating the use of ASP.NET VIEWSTATE or a custom implementation of the same mechanism (such as compressed VSTATE in Checkbox Survey) is critical to protecting ASP.NET applications from VIEWSTATE deserialization vulnerabilities. The enableViewStateMac variable in the IIS configuration should be set to “True” and the aspnet:AllowInsecureDeserialization variable should be set to “False”. The registry key AspNetEnforceViewStateMac should be set to “1” and encryption and authentication keys should be handled with care. The server should use an auto-generated key or the machine key on the IIS server should be changed regularly to reduce the possibility of misuse due to theft or compromise of the key.

researchers say

“If your web application uses ASP.NET session state, make sure the database is only accessible from legitimate network locations. Separate the session state MSSQL database between different IIS servers/web applications as much as possible, or use an appropriate minimal CRUD permissions to create different SQL users. Make sure your .NET web application runs with the lowest possible permissions using the specified application pool identity. This can increase the difficulty of the attack by the TG1021 group.”

In addition to the report published by Sygnia, in June 2020, the ACSC also released a report detailing the tactics, techniques and procedures of Copy-Paste, a state-sponsored threat group targeting Australian public and private sector organisations. The report states that Copy-Paste uses various deserialization exploits, specifically the Telerik UI vulnerability and VIEWSTATE handling in Microsoft IIS servers. This is a technical indicator of compromise and attack that partially overlaps with the Praying Mantis activity observed by Sygnia. Whether there is a connection between the two is not yet known.

The Links:   NL8060BC21-04 DFA100BA160