A recent discovery by Palo Alto Networks’ Unit 42 has shed light on sophisticated malware targeting Internet Information Services (IIS) servers.
This malware, developed in C++/CLI, a rare choice for malware authors, has been designed to mimic the behavior of cmd.exe to evade detection.
The malware operates as a passive backdoor, integrating itself into the IIS server by registering for HTTP response events.
It filters incoming HTTP requests for specific headers, which are used to execute commands.
The commands and data are encrypted using AES and then Base64-encoded, adding a layer of complexity to its operations.
Technical Analysis
The malware has two versions, both of which were uploaded to VirusTotal from Thailand.
The newer version, compiled on May 9, 2023, employs a custom cmd.exe wrapper tool to execute commands, reducing the visibility of its activities by avoiding direct cmd.exe invocation from the IIS process.
This wrapper application is embedded within the malware and communicates via a named pipe, allowing it to redirect command-line commands from the command and control (C2) server and return results.
The malware supports a range of commands, including file management, process execution, and system information retrieval.
According to the Report, it also patches AMSI and ETW routines to evade detection by security software.
The use of C++/CLI for this malware is notable due to its rarity in the malware landscape.
This choice likely stems from the language’s ability to combine managed and unmanaged code, making analysis more challenging.
The malware’s sophistication and targeted nature suggest it may have been used in specific attacks, although attribution to a known threat actor remains elusive.
Detection and Protection
Palo Alto Networks’ Advanced WildFire and Cortex XDR/XSIAM solutions offer enhanced protection against this malware by leveraging memory analysis and behavioral threat protection.
These tools can identify and block both known and unknown malware, providing a robust defense mechanism against such sophisticated threats.
As the cybersecurity landscape continues to evolve, staying informed about emerging threats and employing advanced security solutions is crucial for organizations seeking to protect their infrastructure.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
