A new, very powerful, and formidable threat attacking large, high-ranking public and private organizations in the United States. As part of a series of targeted attacks that use Microsoft Internet Information Services (IIS) servers to target their networks.
IIS servers are the target of TG1021, which has a unique malicious architecture and is built on a common malware core. The toolkit is completely varied, loads reflectively into the memory of the affected computer. Moreover it leaves no traces on the infected target,” the researchers said.
In addition to demonstrating skills that demonstrate significant effort to evade detection by actively interfering with registration mechanisms. And by successfully evade commercial Endpoint Detection and Response (EDR) systems. Also threat participants known to have an arsenal of ASP.NET web support – Leverage applications to pre-hold and shut down servers. Just by implemented a complex implant called “NodeIISWeb” designed to load custom DLL files. Additionally it intercept and process HTTP requests from servers.
Interestingly, Sygnia’s investigation of the Tactics, Techniques and Procedures (TTP) TG1021 found “major overlap” with that of a government-sponsored actor called “Copy-Paste Compromises,”. As described in the recommendations of the Australian Center for Cybersecurity (ACSC). In June 2020, which describes a cyber campaign targeting public infrastructure. Furthermore primarily by exploiting unresolved bugs in Telerik’s UI and microsoft IIS servers. Official attribution is still pending.
Cybercriminals are increasingly targeting governments and commercial enterprises at the highest levels, according to the study. According to the study, “constant forensic activity and quick incident response are crucial for effectively identifying and defending networks from such threat actors.”