Threat actors are infecting Windows IIS (Internet Information Services) servers with malicious false installers that urge visitors to download a malicious certificate notification page.
These malicious pages display the following message:
“Detected a potential security risk and has not extended the transition to [sitename]. Updating a security certificate may allow this connection to succeed. NET::ERR_CERT_OUT_OF_DATE.”
Attackers dropped TVRAT (aka TVSPY, TeamSpy, TeamViewerENT, or Team Viewer RAT) on infected systems, which is malware designed to provide its operators with full remote access to infected hosts.
“The operators behind the activity targeted Windows internet-facing servers, using mostly deserialization attacks, to load a completely volatile, custom malware platform tailored for the Windows IIS environment,” the researchers said.
The virus will quietly start an instance of the TeamViewer remote control software after it has been installed on the affected device. Once started, the TeamViewer server will contact a command-and-control (C2) server to tell the attackers that they may remotely take control of the freshly compromised PC.
TVRAT initially appeared in 2013 as a malicious attachment sent via spam campaigns that deceived recipients into activating Office macros.
While the technique employed by the attackers to compromise IIS servers is still unknown, attackers may penetrate a Windows IIS server in a variety of ways.
For example they exploit a flaw in the HTTP Protocol Stack (HTTP.sys) used by the Windows IIS web server found in May. However, the security issue (identified as CVE-2021-31166) was addressed by Microsoft on the May Patch Tuesday. It was clarified that it only affects Windows Server versions 2004/20H2 and Windows 10 versions 2004/20H2.
Since then, there hasn’t been any malicious activity exploiting this flaw, and most prospective targets were probably safe from attacks because most home users with the latest versions of Windows 10 had updated, and businesses don’t typically use the latest versions of Windows Server.
But there have been other groups who targeted Microsoft IIS web servers, one of them is an advanced persistent threat (APT) group tracked as Praying Mantis or TG1021.