According to Symantec, a recently discovered malware family is using Microsoft Internet Information Services (IIS) to install a backdoor and track all HTTP traffic to the compromised system.
The malware, known as Frebniis, injects code into a DLL used by the IIS Failed Request Event Buffering (FREB) feature to analyze failed requests. The tracked requests’ HTTP headers with cookies, originating IP address, port number, and other information are all collected by FREB. In the observed Frebniis attacks, the malware checks to see if FREB is active before accessing the IIS process to learn where the targeted FREB DLL is loaded.
The creators of Frebniis, according to Symantec, “have found that whenever any HTTP request is made to IIS from a web client, iiscore.dll calls a specific function pointer within iisfreb.dll.”
Read More: ‘Frebniis’ Malware Hijacks Microsoft IIS Function to Deploy Backdoor
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
