Windows internet-facing servers are being targeted by a new threat actor found by the Sygnia Incident Response team. The advanced and persistent threat which they call the ‘Praying Mantis’ is operating almost completely in-memory. The ‘Praying Mantis’ uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets. The threat actor utilized the access provided using the IIS to conduct the additional activity, including credential harvesting, reconnaissance, and lateral movement. The core component, loaded onto internet-facing IIS servers, intercepts and handles any HTTP request received by the server. The threat also uses an additional stealthy backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks. The ‘Praying Mantis’ is highly aware of Windows operations security and is one of the most significant, coordinated, and advanced cyber-targeting attacks. Sygnia researchers suggested patching all .NET deserialization vulnerabilities, searching for known indicators of compromise, scanning internet-facing IIS servers with a set of Yara rules and hunting for suspicious activity on internet-facing IIS environments.
‘Praying Mantis’ threat actor targeting Windows internet-facing servers with malware
