Hackers are deploying a new malware named ‘Frebniss’ on Microsoft’s Internet Information Services (IIS) that stealthily executes commands sent via web requests.
Frebniis was discovered by Symantec’s Threat Hunter Team, who reported that an unknown threat actor is currently using it against Taiwan-based targets.
Microsoft IIS is a web server software that acts as a web server and a web app hosting platform for services like Outlook on the Web for Microsoft Exchange.
In the attacks seen by Symantec, the hackers abuse an IIS feature called ‘Failed Request Event Buffering’ (FREB), responsible for collecting request metadata (IP address, HTTP headers, cookies). Its purpose is to help server admins troubleshoot unexpected HTTP status codes or request processing problems.
The malware injects malicious code into a specific function of a DLL file that controls FREB (“iisfreb.dll”) to enable the attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests the attacker sends, it parses the request to determine what commands to execute on the server.
Symantec says that the threat actors first need to breach an IIS server to compromise the FREB module, but they could not determine the method used to gain access initially.
