A new advanced persistent threat (APT) group has been observed targeting Windows IIS web servers using a variety of deserialization exploits in order to infiltrate networks of high-profile organizations in the US.

The hacker group, dubbed Praying Mantis, or TG1021, by researchers from incident response firm Sygnia, relies on a volatile and custom malware toolset built specifically for Internet Information Services (IIS) web servers to perform credential harvesting, reconnaissance and lateral movement.

“The nature of the activity and general modus-operandi suggest TG1021 to be an experienced stealthy actor, highly aware of OPSEC (operations security). The malware used by TG1021 shows a significant effort to avoid detection, both by actively interfering with logging mechanisms, successfully evading commercial EDRs and by silently awaiting incoming connections, rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, the threat actor actively removed all disk-resident tools after using them, effectively giving up on persistency in exchange for stealth,” the researchers wrote in their report.

In the observed attacks Praying Mantis leveraged exploits to gain access to IIS servers running outdated ASP.NET app, the hackers then used a malware framework named NodeIISWeb that acted as a backdoor.

“The NodeIISWeb malware is a .NET DLL reflectively loaded module that is injected into the w3wp.exe process of affected machines. It serves as the core component of the threat actor’s malware framework and acts as the main backdoor on a compromised IIS server,” Sygnia explained.

According to the researchers, the APT relied on several exploits targeting Windows IIS servers and vulnerabilities in web applications to gain access to the target network: Checkbox Survey RCE exploit (CVE-2021-27852), VIEWSTATE Deserialization exploit, and two exploits targeting Telerik-UI for ASP.NET AJAX (CVE-2019-18935, CVE-2017-11317).