According to a recently published report by the Sygnia Incident Response team, internet-facing Windows servers are being targeted by an advanced persistent threat group called Praying Mantis, or less glamorously TG1021. What makes their attack campaigns noteworthy is that they are almost exclusively conducted in memory.
These attacks, also referred to as Fileless attacks are pieces of malware that rather than been stored on a machine's storage are run from a machine's memory. This makes them harder to detect as no files are stored on the infected system or at least none that are easily detectable.
Since 2017 there has been a large uptick in attackers looking to carry out attacks this way. Researchers even discovered that malware strains like exploit kits that were out of fashion like exploit kits were converted to adopt several fileless techniques, namely running in the browser memory.
Praying Mantis activity targeted Windows internet-facing servers, using mostly deserialization attacks, to load a completely volatile, custom malware platform tailored for the Windows IIS environment. Further attacks could also harvest credentials and malware deployed was seen to have lateral movement and reconnaissance capabilities.
The group targeted high-profile public and private Western organizations and is seen by researchers as activities confirming the current trend on nation-state threat actor tactics being used to target private commercial operations.
Typically, once a foothold on the targeted network is achieved the threat actors would perform a variety of deserialization attacks. This is done to, as stated by Sygnia researchers,
“…utilize a completely volatile and custom malware framework tailor-made for IIS servers. The core component, loaded on to internet facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.”
Researchers further determined that the threat actor is both highly skilled and aware of current operational security best practices. This enabled the threat actor to avoid detection by both personnel and security applications.
This can be seen in the attacker not relying on connecting to a command-and-control server for communications that would typically in the continuous generation of traffic which in turn could be detected. The attacker would also always prioritize stealth over persistence on a victims’ network. It was further noted that,
“The threat actor’s tactics, techniques, and procedures (TTPs) strongly correlate with the ones described in an advisory published by the Australian Cyber Security Centre (ACSC) – “Copy-paste compromises”. The advisory, published in June 2020, details the activity of a sophisticated state-sponsored actor who represents “the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed.”
The above-mentioned advisory can be read here.
Praying Mantis makes use of several deserialization exploits. By exploiting deserialization vulnerabilities, the attacker can impact the logic of a particular application and if done correctly this can allow the attacker to execute arbitrary code. The first of these exploits covered by the report is called the Checkbox Survey RCE Exploit, it has been given the code CVE-2021-27852 and rated as 9.8 critical, meaning it is important to patch.
In fact, patching this vulnerability should be seen as a priority if not done so already. The flaw is found in the popular Checkbox survey application used by organizations. When exploited the flaw permits remote code execution.
The flaw itself resided in the VIEWSTATE mechanism in .NET. Researchers noted,
“VIEWSTATE is a mechanism in .NET used to maintain and preserve web page session data between a client and a server. When using this feature any client that browses an application receives a serialized .NET object that contains the values of specific variables. When the client sends an HTTP request back to the web application, the VIEWSTATE object is sent along with it, which in turn gets deserialized and processed on the server’s side setting the variables to their previous values.”
Another vulnerability exploited by Praying Mantis impacts VIEWSTATE directly. Simply referred to as the VIEWSTATE deserialization exploit, the attackers leveraged VIEWSTATE’s deserialization process, to regain access to compromised machines. It is important to note that newer versions of .NET enforce encryption and help prevent this kind of flaw exploitation.
That is not to say that newer versions are not immune to attacks. If the attacker gains access to encryption and validation keys, they can bypass checks and then move forward to execute code.
In attacks investigated by Sygnia, Praying Mantis used stolen decryption and validation keys to exploit IIS web servers. The flow of the VIEWSTATE deserialization exploit is almost identical to the exploit explained above, with the adjustment of encrypting and signing the VIEWSTATE data instead of compressing it.
The use of the flaw is critical to the success of the attack as the attackers rely on volatile backdoors, with VIEWSTATE being needed to regain access to compromised machines when access was lost.
Additionally, it was used to move laterally between machines in a cluster. This is possible because if a web application is set to run in a cluster, all the instances need to share the same secret keys otherwise the VIEWSTATE feature would not work. The report covers several other deserialization vulnerabilities used by Praying Mantis that are beyond the scope of this article.
Praying Mantis will perform credential harvesting, reconnaissance, and attempt to move laterally once the victim’s network is compromised and the custom malware payloads have been delivered. Credential harvesting is performed by modifying login pages to harvest the credentials entered by an end-user.
These are saved in clear text format and stored under username and password variables. These would then be sent back to the attacker. Before they are sent they are stored in a file that mimics the name of a file already found on the system helping the data exfiltration blend in with normal network traffic.
Reconnaissance is done by using publicly available offensive security tools like Sharhound. This tool is used to scan and map targets by loading them directly to the infected machine's memory without writing the binary on the disk. Soon after the execution, the threat actor retrieved the output files and deleted them.
In addition, PowerSploit was loaded and executed using the same technique. Lateral movement is done over SMB using compromised credentials as well as a piece of custom malware called NodeIISWeb.
As to similarities with the Copy-past-compromises warned off in the ACSC advisory, researchers noted,
“Much like TG1021, the threat actor described in the advisory utilizes a variety of deserialization exploits and specifically the Telerik UI vulnerabilities and VIEWSTATE handling in Microsoft IIS servers. There are major overlaps in the toolsets used by both actors, such as the usage of JScript payloads, Potato family malware and “Confuser” for obfuscation. The “PowerHunter” malware described in the advisory provides extremely unique functionality, highly similar to “ExtDLL.dll” described in this report.”
In defending against Praying Mantis attacks researchers advise that the following is done,
- Patching .NET deserialization vulnerabilities
- Searching for known indicators of compromise
- Scanning internet-facing IIS servers with a set of Yara rules (both indicators of compromise and YARA rules are published in the report)
- Actively hunt for suspicious activity on internet-facing IIS environment