Israeli cybersecurity firm, Sygnia, has identified an Advanced Persistent Threat (APT) which they have nicknamed “Praying Mantis”, or “TG1021”. Praying Mantis has been targeting high-profile public and private entities in the U.S. and exploiting internet-facing servers to infiltrate their networks.
Praying Mantis utilizes a custom malware framework, made specifically for Microsoft Internet Information Servers (IIS), and intercepts and handles any HTTP request received by the server. Researchers say, “the threat actor also uses an additional backdoor and several post-exploitation modules to perform network reconnaissance, elevate privileges, and move laterally within networks.”
The threat actor shows extensive knowledge in OPSEC (Operations Security) and avoids detection by interfering with logging mechanisms, evading commercial Endpoint Detection and Response (EDR) systems, and quietly waiting for incoming connections rather than connecting back to a C2 (Command and Control) channel and continuously generating traffic. Praying Mantis also actively removes all disk-resident tools, indicating stealth is their priority.
The vulnerabilities that have been exploited by the threat actor include:
- Checkbox Survey RCE Exploit (CVE-2021-27852)
- VIEWSTATE Deserialization Exploit
- Altserialization Insecure Deserialization
- Telerik-UI Exploit (CVE-2019-18935 and CVE-2017-11317)