A new threat actor is targeting Windows servers with “almost completely in-memory” attacks, according to a new report by the Sygnia Incident Response team.
A new threat actor called “Praying Mantis” or “TG1021” reportedly uses custom malware to target Windows IIS environments and “leaves little-to-no trace” on infected machines.
“TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves a little-to-no trace on infected targets,” the researchers wrote.
Over the last year, the company’s incident response team responded to multiple cyberattacks by the actor that targeted several prominent organizations that Sygnia did not name.
The report states that “Praying Mantis” was able to exploit the Internet-facing servers of various companies. The threat actor’s activities included credential harvesting, reconnaissance, and lateral movement.
The attacker’s toolset is almost completely in-memory, Sygnia said in the report.
“The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks,” the report explained.
The nature of the operation and the various characteristics of the malware used by TG1021 suggest that it is an experienced actor who is highly aware of operations security:
“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of operations security. The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic.”
“Praying Mantis” managed to wipe all disk-resident tools that were used in the attacks, trading persistence for stealth.
The researchers noted that the methods used by the attacker resembled those used in a June 2020 advisory from the Australian Cyber Security Centre that warned about a “sophisticated state-sponsored actor” that represented “the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”
“The actor leveraged a variety of exploits targeting internet -acing servers to gain initial access to target networks. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications and are used to execute a sophisticated memory-resident malware that acts as a backdoor,” the Sygnia report said.
“The threat actor uses an arsenal of web application exploits and is an expert in their execution. The swiftness and versatility of operation combined with the sophistication of post-exploitation activities suggest an advanced and highly skillful actor conducted the operations.”
The attackers exploited multiple vulnerabilities to gain escalated access to a web application, among them a 0-day vulnerability within the “Checkbox Survey” web application and flaws in IIS servers and the standard VIEWSTATE deserialization process.
Researchers at Sygnia Security advised searching for IoCs, using Yara rules to detect and prevent exploitation of internet-facing servers. They also suggested patching all .NET Deserialization vulnerabilities.