'Praying Mantis' threat actor targeting Windows internet-facing servers with malware

A Sygnia Incident Response team report found that the advanced and persistent threat actor was operating almost completely in-memory.

Windows internet-facing servers are being targeted by a new threat actor operating "almost completely in-memory," according to a new report from the Sygnia Incident Response team

The report said that the advanced and persistent threat actor -- which they have named "Praying Mantis" or "TG1021" -- mostly used deserialization attacks to load a completely volatile, custom malware platform tailored for the Windows IIS environment.

"TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers wrote.

"The threat actor utilized the access provided using the IIS to conduct the additional activity, including credential harvesting, reconnaissance, and lateral movement."

Over the last year, the company's incident response team has been forced to respond to a number of targeted cyber intrusion attacks aimed at several prominent organizations that Sygnia did not name.

"Praying Mantis" managed to compromise their networks by exploiting internet-facing servers, and the report notes that the activity observed suggests that the threat actor is highly familiar with the Windows IIS platform and is equipped with 0-day exploits.

"The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. TG1021 also use an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks," the report explained. 

"The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of operations security. The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic." 

The actors behind "Praying Mantis" were able to remove all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth. 

The researchers noted that the actors' techniques resemble those mentioned in a June 2020 advisory from the Australian Cyber Security Centre, which warned of "Copy-paste compromises."

The Australian notice said the attacks were being launched by "sophisticated state-sponsored actor" that represented "the most significant, coordinated cyber-targeting against Australian institutions the Australian Government has ever observed."

Another notice said the attacks were specifically targeting Australian government institutions and companies. 

"The actor leveraged a variety of exploits targeting internet -acing servers to gain initial access to target networks. These exploits abuse deserialization mechanisms and known vulnerabilities in web applications and are used to execute a sophisticated memory-resident malware that acts as a backdoor," the Sygnia report said. 

"The threat actor uses an arsenal of web application exploits and is an expert in their execution. The swiftness and versatility of operation combined with the sophistication of post-exploitation activities suggest an advanced and highly skilful actor conducted the operations."

The threat actors exploit multiple vulnerabilities to leverage attacks, including a 0-day vulnerability associated with an insecure implementation of the deserialization mechanism within the "Checkbox Survey" web application.

They also exploited IIS servers and the standard VIEWSTATE deserialization process to regain access to compromised machines as well as 

"This technique was used by TG1021 in order to move laterally between IIS servers within an environment. An initial IIS server was compromised using one of the deserialization vulnerabilities listed above. From there, the threat actor was able to conduct reconnaissance activities on a targeted ASP.NET session state MSSQL server and execute the exploit," the report noted.

It added that the threat actors have also taken advantage of vulnerabilities with Telerik products, some of which have weak encryption. 

Sygnia researchers suggested patching all .NET deserialization vulnerabilities, searching for known indicators of compromise, scanning internet-facing IIS servers with a set of Yara rules and hunting for suspicious activity on internet-facing IIS environments.