Praying Mantis Threat Group Targeting US Firms in Sophisticated Attacks

Groups advanced memory-resident attacks similar to those employed in sustained campaign against Australian companies and government last year, security vendor says.

A sophisticated threat actor behind a series of highly targeted attacks on Australian companies and government entities last year may be carrying out a similar campaign against US organizations using almost only memory-resident malware.
Researchers at Sygnia this week reported observing attacks bearing all the hallmarks of the Australian campaign targeting what they described as high-profile public and private entities in the US. Sygnia says the threat actor — which it is tracking as Praying Mantis or TG2021 — has been attacking Windows Internet Information Services (IIS) environments and Web applications to gain initial access on target networks.
The attacks have been going on since at least last June and appear to be a cyber-espionage operation for a state-backed entity. While the full scope of activity is unknown to Sygnia, the level of sophistication and highly persistent nature of the threat actor suggests the existence of a large operation, says Arie Zilberstein, vice president of incident response at Sygnia.
Some
reports
out of Australia last year have suggested the activity is linked to China — a country the Biden administration recently
publicly accused
of using criminal gangs to conduct cyber espionage and other malicious missions on its behalf.
Zilberstein says Sygnia first uncovered signs of the campaign when responding to a report of a potential compromise on a customer network. This gradually unfolded the attack and tool set, which made it more trackable, he says.
According to Sygnia
, the threat actors main tactic for gaining a foothold on a target network has been to use different so-called deserialization exploits against IIS and vulnerabilities in Web applications. Zilberstein explains a deserialization exploit as one that leverages the way an application initializes objects that have been serialized. If the deserialization process is insecure, the program can be exploited to execute malicious code on the target.
As one example, he points to
CVE-2021-27852
, a zero-day vulnerability in the Checkbox Survey Web application that the attackers have used to exploit IIS servers. The vulnerability is associated with an insecure deserialization mechanism in the application and allows for remote code execution on the target server. The attackers have also been observed exploiting two vulnerabilities (
CVE-2019-18935
and
CVE-2017-11317
) in a widely used set of user-interface components for Web applications from Telerik (Telerik-UI).
The attackers have used their initial access from these exploits to execute a memory-resident malware that serves as a backdoor on Internet-facing IIS servers. The malware intercepts and handle all HTTP requests that the compromised IIS server might receive. The malware appears custom designed for IIS servers, is completely volatile — or operates only in memory — and leaves very little trace on infected systems, Sygnia says in a new report.
The threat actors have used their access on the IIS servers to drop additional post-exploitation malware, including a stealthy backdoor, for conducting network reconnaissance, to elevate privileges and for lateral movement. The activity that Sygnia has observed suggests that the Praying Mantis group is an experienced and stealthy actor that is very familiar with the Windows IIS environment and maintains a high level of operational security. The groups malware appears designed to evade easy detection by, among other things, interfering with logging activity and waiting for incoming instructions from attacker-controlled servers rather than proactively connecting out to a remote command-and-control server and thus risk being detected.
Sygnia says TGP2021s tactics, techniques, and procedures (TTPs) are like those employed by the actors behind what the Australian government last year described as
copy-paste compromises
because of how they involved tools copied nearly identically from open source material. Just like Praying Mantis, the actor behind the sustained attacks in Australia last year also leveraged deserialization exploits and vulnerabilities in Telerik UI in its campaigns. There are also significant overlaps in the tool sets used in both campaigns and in the obfuscation mechanisms, Sygnia says.
Highly Sophisticated
We view the group as highly sophisticated, much more than commonly found in the threat landscape, Zilberstein says. It has been operating with exploits and advanced malware and has succeeded in actively hiding their presence and avoiding detection by leading EDRs, he notes. TG1021 prefers to give up on persistence and redeploy their malware by reflectively loading it into memory on each phase of the attack. This shows an extensive attempt to hide their existence in compromised networks.
Zilberstein says that Praying Mantis modus operandi and victim targeting suggest it is state-backed. However, at this point, Sygnia does not want to speculate on the groups provenance, he says. Some
reports
out of Australia last year have suggested the group is linked to China.
Defending against TG1021 attacks is a tough task, Zilberstein notes. At a high level, organizations should consider patching IIS servers for known .NET deserialization vulnerabilities. If organizations are using the Checkbox Survey app, they need to upgrade to the latest version. Organizations should also be actively hunting for suspicious activity targeting Internet-facing IIS environments.
Sygnia has also provided
indicators of compromise and TTPs
associated with Praying Mantis and tips for mitigating the risk of compromise by the group.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Praying Mantis Threat Group Targeting US Firms in Sophisticated Attacks