Cybersecurity researchers have discovered a new malware that leverages a legitimate feature of Microsoft’s Internet Information Services (IIS) to install a backdoor in targeted systems. Dubbed Frebniis, the malware was used by a previously unknown threat actor against targets in Taiwan, according to an advisory published by Symantec.

Frebniis is a clever piece of malware that stealthily exfiltrates data and executes malicious code from a victim’s web server. The malware abuses the Microsoft IIS feature called Failed Request Event Buffering (FREB) to establish a backdoor and monitor all HTTP traffic to the infected system.

FREB collects information about requests, such as the origination IP address, ports, and HTTP headers, among others, and is usually used by administrators to troubleshoot issues with their servers. However, in this case, the malware abuses this feature to communicate secretly and establish a backdoor to the infected system.

How does Frebniis malware work?

The malicious code used by the Frebniis malware involves injecting code into the memory of a DLL file (iisfreb.dll) related to IIS. This allows the malware to intercept and execute malicious code on the server and also allows it to collect data and exfiltrate it through the backdoor.

The malware remains hidden and undetected by anti-virus software by using advanced techniques to evade detection. The malware does not install any new files on the system and runs only in the memory of the server, which makes it difficult to detect.

Frebniis is an ultra-stealthy malware that uses the following techniques to remain undetected:

  • It uses a rootkit to hide its presence on the server and evade detection.
  • It communicates with its command and control server over the HTTP protocol, making it difficult to detect as most network security solutions allow HTTP traffic.
  • It encrypts all communication with its command and control server to avoid detection by security solutions.
  • It uses advanced obfuscation techniques to conceal its code, making it difficult to analyze.

Who is affected by Frebniis?

Currently, the threat actor behind Frebniis is unknown, and the malware was used against targets in Taiwan. However, it is important to note that any server running Microsoft’s Internet Information Services (IIS) software is potentially vulnerable to this type of attack.

According to Symantec, the following versions of IIS are vulnerable to this type of attack:

  • IIS 7.0
  • IIS 7.5
  • IIS 8.0
  • IIS 8.5
  • IIS 10.0

Therefore, it is crucial that organizations running IIS servers take necessary precautions to secure their systems.

How can organizations protect against Frebniis?

Organizations can take the following steps to protect against Frebniis:

  • Ensure that their IIS servers are up-to-date with the latest security patches and updates.
  • Implement secure configurations for IIS servers and review the configurations regularly.
  • Use security software that includes anti-virus, anti-malware, and intrusion detection and prevention systems to detect and prevent attacks.
  • Monitor network traffic for suspicious activity and investigate any anomalies.
  • Train employees on the importance of cybersecurity and the risks of clicking on suspicious links or downloading suspicious files.
  • Establish an incident response plan that outlines the steps to take in the event of a security breach.

The Takeaway

Frebniis is a dangerous new malware that exploits a legitimate feature of Microsoft’s Internet Information Services (IIS) to establish a backdoor and exfiltrate data from a victim’s server. The malware is ultra-stealthy and difficult to detect, making it a significant threat to organizations that use IIS servers. However, with proper security measures and employee training, organizations can protect themselves against Frebniis and other types of malware.

It is crucial for organizations to take a proactive approach to cybersecurity and implement necessary security measures to protect their systems. In today’s digital age, the risks of cyber-attacks are high, and organizations must remain vigilant to protect themselves against new and emerging threats.

Overall, Frebniis is a stark reminder of the need for strong cybersecurity practices and the importance of staying up-to-date with the latest security updates and patches. By implementing these best practices, organizations can protect themselves and their clients against cyber-attacks and ensure the confidentiality, integrity, and availability of their systems and data.