A sophisticated threat actor behind a series of highly targeted attacks on Australian companies and government entities last year may be carrying out a similar campaign against US organizations using almost only memory-resident malware.
Researchers at Sygnia this week reported observing attacks bearing all the hallmarks of the Australian campaign targeting what they described as high-profile public and private entities in the US. Sygnia says the threat actor — which it is tracking as Praying Mantis or TG2021 — has been attacking Windows Internet Information Services (IIS) environments and Web applications to gain initial access on target networks.
The attacks have been going on since at least last June and appear to be a cyber-espionage operation for a state-backed entity. "While the full scope of activity is unknown to Sygnia, the level of sophistication and highly persistent nature of the threat actor suggests the existence of a large operation," says Arie Zilberstein, vice president of incident response at Sygnia.
Some reports out of Australia last year have suggested the activity is linked to China — a country the Biden administration recently publicly accused of using criminal gangs to conduct cyber espionage and other malicious missions on its behalf.
Zilberstein says Sygnia first uncovered signs of the campaign when responding to a report of a potential compromise on a customer network. "This gradually unfolded the attack and tool set, which made it more trackable," he says.
According to Sygnia, the threat actor's main tactic for gaining a foothold on a target network has been to use different so-called deserialization exploits against IIS and vulnerabilities in Web applications. Zilberstein explains a deserialization exploit as one that leverages the way an application initializes objects that have been serialized. "If the deserialization process is insecure, the program can be exploited to execute malicious code on the target."
As one example, he points to CVE-2021-27852, a zero-day vulnerability in the "Checkbox Survey" Web application that the attackers have used to exploit IIS servers. The vulnerability is associated with an insecure deserialization mechanism in the application and allows for remote code execution on the target server. The attackers have also been observed exploiting two vulnerabilities (CVE-2019-18935 and CVE-2017-11317) in a widely used set of user-interface components for Web applications from Telerik (Telerik-UI).
The attackers have used their initial access from these exploits to execute a memory-resident malware that serves as a backdoor on Internet-facing IIS servers. The malware intercepts and handle all HTTP requests that the compromised IIS server might receive. The malware appears custom designed for IIS servers, is completely volatile — or operates only in memory — and leaves very little trace on infected systems, Sygnia says in a new report.
The threat actors have used their access on the IIS servers to drop additional post-exploitation malware, including a stealthy backdoor, for conducting network reconnaissance, to elevate privileges and for lateral movement. The activity that Sygnia has observed suggests that the Praying Mantis group is an experienced and stealthy actor that is very familiar with the Windows IIS environment and maintains a high level of operational security. The group's malware appears designed to evade easy detection by, among other things, interfering with logging activity and waiting for incoming instructions from attacker-controlled servers rather than proactively connecting out to a remote command-and-control server and thus risk being detected.
Sygnia says TGP2021's tactics, techniques, and procedures (TTPs) are like those employed by the actors behind what the Australian government last year described as "copy-paste compromises" because of how they involved tools copied nearly identically from open source material. Just like Praying Mantis, the actor behind the sustained attacks in Australia last year also leveraged deserialization exploits and vulnerabilities in Telerik UI in its campaigns. There are also significant overlaps in the tool sets used in both campaigns and in the obfuscation mechanisms, Sygnia says.
"We view the group as highly sophisticated, much more than commonly found in the threat landscape," Zilberstein says. It has been operating with exploits and advanced malware and has succeeded in actively hiding their presence and avoiding detection by leading EDRs, he notes. "TG1021 prefers to give up on persistence and redeploy their malware by reflectively loading it into memory on each phase of the attack. This shows an extensive attempt to hide their existence in compromised networks."
Zilberstein says that Praying Mantis' modus operandi and victim targeting suggest it is state-backed. However, at this point, Sygnia does not want to speculate on the group's provenance, he says. Some reports out of Australia last year have suggested the group is linked to China.
"Defending against TG1021 attacks is a tough task," Zilberstein notes. At a high level, organizations should consider patching IIS servers for known .NET deserialization vulnerabilities. If organizations are using the Checkbox Survey app, they need to upgrade to the latest version. Organizations should also be actively hunting for suspicious activity targeting Internet-facing IIS environments.
Sygnia has also provided indicators of compromise and TTPs associated with Praying Mantis and tips for mitigating the risk of compromise by the group.