"Hackers Backdoor Microsoft IIS Servers With New Frebniis Malware"

Hackers are launching a new malware named Frebniis on Microsoft's Internet Information Services (IIS), stealthily executing commands sent via web requests. Frebniis was found by Symantec's Threat Hunter Team, who revealed that an unidentified threat actor is using it against targets in Taiwan. Microsoft IIS is a web server software that serves as a web server and web app hosting platform for services such as Outlook on the Web for Microsoft Exchange. In the attacks observed by Symantec, hackers exploit an IIS feature called "Failed Request Event Buffering" (FREB), which is responsible for gathering request metadata (i.e., IP address, HTTP headers, and cookies). Its objective is to help server administrators troubleshoot unexpected HTTP status codes or request processing issues. The Frebniis malware injects malicious code into a certain function of a DLL file that controls FREB, allowing an attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests sent by an attacker, it parses the requests to identify which commands to execute on the server. This article continues to discuss findings regarding the new Frebniis malware.

Bleeping Computer reports "Hackers Backdoor Microsoft IIS Servers With New Frebniis Malware"