This Base64 string is decoded and then decrypted (xor 0x08) and expected to be an XML document with the C# code to executed in the '/doc' node under the 'data' attribute (E.g. Also, it looks for requests made to the 'logon.aspx' or 'default.aspx' pages with a specific password parameter.įurther, based on a second HTTP parameter, which is a base64 encoded string, Frebniis is instructed to communicate and execute commands on other systems via the compromised IIS. This injected code supports proxying and C# code execution without touching the disk, making it completely stealthy.
NET backdoor which injects malicious code into FREB ("iisfreb.dll") to intercept any HTTP POST requests sent to the ISS server. As per Symantec's Threat Hunter team, attackers targeted Microsoft Information Security Services using a new Frebniss malware which stealthily executes commands sent via web requests.Īccording to analysts' report, during the attack, attackers abuse an IIS feature called 'Failed Request Event Buffering' (FREB) which is responsible for collecting request metadata (IP address, HTTP headers, cookies), and hackers were found utilizing the.
0 kommentar(er)
