Hackers in Order to Install Frebniis Malware Hacks IIS Feature

“Frebniis, the malware uses a method that injects harmful code into iisfreb.dll’s memory. Iisfreb.dll is a DLL file attached with an IIS feature used for checking unsuccessful web page requests.”

“Frebniss” is a new sort of malware that recently posed a threat to Microsoft’s Internet Information Services (IIS). 

Also Read, What is the ‘North Korean Hacking’ fiasco in the cryptocurrency fiasco?

The malware is being employed by hackers to help them carry out stealthy commands using web requests that are transmitted through the internet.

Microsoft IIS is a robust software app platform uses for web application hosting and web server functionality. Among its multiple uses, the software application platform serves crucial services of Microsoft such as Outlook.

Microsoft IIS is a trusted platform and enables users to get easy access to services and web applications, making it a preferred choice for businesses and individuals simultaneously.

Frebniis Corrupts IIS Feature

Frebniis, the malware uses a method that injects harmful code into iisfreb.dll’s memory. Iisfreb.dll is a DLL file attached with an IIS feature uses for checking unsuccessful web page requests. 

With the help of the IIS feature, all HTTP requests are stealthily tracked by Frebniis and detect particular formats of requests from the hacker, leading to the possibility of executing remote code.

frebniis-malware

The hacker must get access to the Windows system operating the IIS server utilizing another method to apply this trick. But, how the hacker got this access in this instance remains uncertain.

frebniis

The injected .NET backdoor allows C# code execution and helps in proxying without doing disk interaction which makes it undetectable. A particular password is checked when default[.]aspx or logon[.]aspx are requested. 

frebniis-malware-attack-microsoft-iis-internet-information-services

Frebniis can command and link with other systems via compromised IIS, utilizing a base64 encoded string as a second HTTP parameter, accessing secured internal systems which are publicly unavailable.

Reddit Claimed of Hacking says User Data is Safe

Synopsis

“Reddit explaining the nature of the phishing attack further mentioned that the attack was targeted at Reddit employees pressuring them into clicking on the link to a site that was similar to the internal gateway of Reddit. It seems some of the employees clicked on the link and enabled the hackers to enter the internal systems, thereby getting hold of the company data.”

Reddit, the California-based technology enabled community builder, has accepted that its site was hacked this week and claimed that the phishing attack was sophisticated targeting its employees.

Also Read, Cybersecurity Attacks: New Wave of Ransomware Target ESXi Hypervisors of VMware

The social media platform also mentioned this phishing attack happened on February 5 breaching the security systems of Reddit.

Having said that, the information technology company made sure that there was no exposure of the user database in the hack attempt but the hackers were able to access code, some internal documents, and some internal business systems.

Reddit explaining the nature of the phishing attack further mentioned that the attack was targeted at Reddit employees pressuring them into clicking on the link to a site that was similar to the internal gateway of Reddit.

It seems some of the employees clicked on the link and enabled the hackers to enter the internal systems, thereby getting hold of the company data. 

It once again persuades users that there has been no data loss or attack on the data of users. And in fact most of the data leaked comprises limited information about hundreds of company contacts and employees.

The company has tackled a complete analysis of the phishing attack after the employees notified them of possible intrusion from hackers.

The security team of Reddit managed to immediately close the breach and ascertain there was the least possible damage to its systems.

First of all, the attacker’s access to the systems was blocked and then initiated its enquiry into the incident mentioning the aforementioned details.