Cybersecurity researchers have discovered a new malware that leverages a legitimate feature of Microsoft’s Internet Information Services (IIS) to install a backdoor in targeted systems.
According to an advisory published last Thursday by Symantec, the malware, dubbed "Frebniis," was used by a previously unknown threat actor against targets in Taiwan.
“The technique used by Frebniis involves injecting malicious code into the memory of a [dynamic link library] DLL file [...] related to an IIS feature used to troubleshoot and analyze failed web page requests,” reads the technical write-up.
At a basic level, IIS is a web server running on Windows systems to serve requested HTML pages or files. These servers can accept requests from remote client computers and then return the appropriate response.
“IIS has a feature known as Failed Request Event Buffering (FREB) that collects data and details about requests, such as originating IP address and port, HTTP headers with cookies, etc.,” explained the Symantec team.
According to the security researchers, exploiting this tool enabled the malware to stealthily monitor all HTTP requests while also automatically recognizing specially formatted HTTP requests sent by the attacker.
“These requests allow remote code execution [RCE] and proxying to internal systems in a stealthy manner,” reads the advisory. “No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.”
The Symantec team clarified that to use this technique, an attacker would need to gain access to the Windows system running the IIS server by some other means. In the attack described in the advisory, the security researchers wrote that it was unclear how this access was achieved.
This is not the first time Microsoft’s IIS has been used for malicious purposes. Back in 2020, the tech giant patched their servers after an increase in this type of attack.
More recently, Microsoft released patches for over 70 CVEs, including three zero-day vulnerabilities.