An APT group dubbed Praying Mantis or TG1021, by researchers from incident response firm Sygnia, has hit IIS web servers with deserialization flaws and memory-resident malware. It says Praying Mantis group is likely a nation-state threat actor using custom malware that is especially good at avoiding detection to compromise major public and private organisations over the past year. It exploits deserialization flaws in public-facing ASP.NET applications to deploy evasive fileless malware. This custom malware toolset that is adept at evading detection is built specifically for Internet Information Services (IIS) web servers to perform credential harvesting, reconnaissance and lateral movement.
“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC (operations security),” the Sygnia researchers said. “The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth.”