By exploiting a feature in Microsoft Internet Information Services (IIS), researchers have identified a cunning piece of malware that secretly steals data and runs malicious code on Windows systems.
IIS is a web server that works with Windows-based computers. It accepts requests from distant clients and responds appropriately as a web server. In July 2021, there were 51.6 million IIS instances spread across 13.5 million distinct domains, according to network intelligence company Netcraft.
Also Read: Linux malware reaches new heights in 2022
Frebniis is able to intercept the normal flow of HTTP request handling and look for specially formatted HTTP requests by hijacking and altering the IIS web server code, according to Symantec researchers. These requests permit stealthily proxying remote code execution on internal systems. Frebniis is a relatively rare and uncommon type of HTTP backdoor seen in the wild because no files or suspicious processes will be running on the system. “
By stealing and altering the IIS web server code, Frebniis is able to check for specially structured HTTP requests while intercepting the normal flow of HTTP request handling, according to Symantec researchers. “These queries allow for the proxying of code to internal systems and covert remote code execution. Because no suspicious files or processes will be running on the system, Frebniis is a pretty uncommon and rare type of HTTP backdoor encountered in the wild.”
Currently, it’s unclear how widely used Frebniis is. The article offers two file hashes linked to the backdoor but doesn’t describe how to check a system for them.