Cyber Security News

Hackers Abuse IIS Feature to Deploy New Frebniis Malware

A recently discovered threat to Microsoft’s Internet Information Services (IIS) involves the deployment of a new type of malware known as “Frebniss.”

This malware is being used by hackers in order to carry out stealthy commands through web requests that are transmitted through the Internet.

Symantec’s Threat Hunter Team, Broadcom Software recently made an alarming discovery related to this new malware, “Frebniis.” According to their report, this malware is currently being deployed by an unknown threat actor against targets based in Taiwan.

Microsoft IIS is a powerful software application platform used for web server functionality and web application hosting. Among its many uses, Microsoft IIS serves as a vital platform for services such as Outlook on the Web for Microsoft Exchange. 

This software platform is highly reliable and allows for easy access to web applications and services, making it a popular choice for individuals and businesses alike.

Frebniis Abuse IIS Feature

Frebniis’ method injects harmful code into the memory of iisfreb.dll, a DLL file associated with an IIS feature utilized for examining unsuccessful web page requests.

With the help of this, all HTTP requests are stealthily tracked by the malware and detect specific formats of requests from the attacker, leading to the possibility of executing remote code.

The attacker must obtain access to the Windows system that operates the IIS server using another method to apply this tactic. But, how the access was attained in this instance remains uncertain.

Symantec detected attacks where hackers exploit an IIS function named ‘Failed Request Event Buffering’ (FREB) that acquires request metadata, including IP addresses, HTTP headers, and cookies.

The injected .NET backdoor enables C# code execution and proxying without disk interaction, which renders it undetectable. A specific password parameter is looked for when the pages logon[.]aspx or default[.]aspx are requested.

Using a base64 encoded string as a second HTTP parameter, Frebniis can command and interact with other systems through the compromised IIS, which could access secured internal systems that are not publicly available.

Supported Commands

Here below we have mentioned all the commands that this malware supports:-

By exploiting the FREB component, the attacker can avoid detection by security measures, which is its significant benefit. This exceptional HTTP backdoor does not produce suspicious system processes, files, or traces.

While the exact route of the initial compromise is uncertain, but, it’s strictly advisable to update your software on an immediate basis to mitigate the risk of threat actors exploiting vulnerabilities that are already known.

In this case, monitoring the network traffic of a company’s network with the help of sophisticated network traffic surveillance tools can also assist in detecting unusual activities on the network that may be caused by Frebniis or any other malware.

Network Security Checklist – Download Free E-Book


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

17 mins ago

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

16 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

18 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

19 hours ago