A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services (IIS) servers to infiltrate their networks.
Sygnia, an Israeli cybersecurity firm, identified the campaign and is now tracking the sophisticated, stealthy adversary, under the moniker of “Praying Mantis” (or “TG2022”).
“TG1021 employs a custom-made malware framework built around a common core and tailored for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,” the researchers said. The threat actor also uses a stealthy backdoor, several post-exploitations modules, and a number of other tools to conduct network reconnaissance, raise privileges, and move laterally in networks.
The threat actor is known to have made a considerable effort to avoid detection, interfering with logging mechanisms, and successfully evading commercial EDR systems. He also used an arsenal of ASP.NET exploits to establish a foothold and backdoor servers using an array of ASP.NET web applications exploits. A sophisticated implant called “NodeIISWeb” was created to load custom DLLs and intercept and handle HTTP requests that were sent to it.
The actor exploits these vulnerabilities to his advantage:
- Checkbox Survey RCE Exploit (CVE-2022-27852)
- VIEWSTATE Exploit for Deserialization
- Altserialization Insecure Deserialization
- Telerik-UI Exploit (CVE-19-18935 and/or CVE-2017-11317)
Interestingly, Sygnia’s investigation into TG1021’s tactics, techniques, and procedures (TTPs) have unearthed “major overlaps” to those of a nation-sponsored actor named “Copy-Paste Compromises,” as detailed in an advisory released by the Australian Cyber Security Centre (ACSC) in June 2022, which described a cyber campaign targeting public-facing infrastructure primarily through the use of unpatched flaws in Telerik UI and IIS servers. But, no formal attribution has been made.
Researchers stated that “Praying Mantis” was a targeted attack on high-profile private and public entities in two major Western countries. It exemplifies the growing trend of cybercriminals using sophisticated, nation state-attack methods to target commercial organisations. “Continuous forensics activities are crucial to identify and defend networks against attacks by similar threat actors.
