Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Malware injects malicious code into Failed Request Event Buffering module in order to monitor HTTP requests from attacker.
In their latest attack, attackers are abusing Microsoft IIS feature to establish backdoor. An attacker first monitors HTTP traffic of the attacked computer and uploads malicious code via a web server. The malicious code initiates events for HTTP connections in IIS Failed Request Event Buffering module (eventing_cck_failedrequestcontent), which then injects the malware into HTTP responses that are sent from compromised machine. This capability has been recently used by hackers against terminals in Polish banking system and has been observed over two years ago during Operation Ghost Click phishing campaigns.
The threat actor behind "Frebniis" target Polish banks and their customers by attacking ATMs located in Poland. After the successful installation of malware on customer terminals, the attacker requests a ransom in bitcoins (which is valued at about $15). This particular banking Trojan was first identified by the researchers at Kaspersky Lab.
Frebniis is currently active and being used in attacks against Polish banks and their customers. Devices all over the world are being attacked by this malware as well. In one of these cases, an unnamed, third-party Internet service provider (ISP) in Poland was infected with this malware via one of its customers using a specific type of malware called SSHBrute.
Source: Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor - AlienVault - Open Threat Exchange