Microsoft IIS servers targeted with Frebniis malware

Microsoft Internet Information Services servers are being subjected to attacks with the new Frebniss malware, which enables stealthy command execution through web requests, reports BleepingComputer. Such attacks, which have been aimed at Taiwan-based targets, involve the exploitation of IIS' Failed Request Event Buffering feature, with the Frebniss malware facilitating malicious code injection into the FREB-controlling DLL file to track and intercept HTTP POST requests in the IIS server, according to a Symantec report. Researchers found that Frebniss supports commands enabling connections to a remote system for proxying, reading a remote system-based Base64 string, writing a Base64 string to the remote system, and closing the connection. "If an HTTP call to logon.aspx or default.aspx is received without the password parameter, but with the Base64 string, the Base64 string is assumed to be C# code that will be executed straight in memory. The Base64 string is decoded and then decrypted (xor 0x08) and is expected to be an XML document with the C# code to be executed in the '/doc' node under the 'data' attribute (E.g. <doc data=C# code>)," said the report.