RudePanda owns IIS servers like it’s 2003

MITRE Techniques

• [T1559] Inter-Process Communication – Attackers used ASP.NET viewstate deserialization to execute code on IIS servers by leveraging exposed machine keys (“…the attackers first exploited the ASP .NET viewstate to achieve remote code execution…”).
• [T1203] Exploitation for Client Execution – Exploited deserialization of viewstate and known machine keys to run ASP payloads on targeted servers (“…exploit ASP .NET viewstate deserialization to remotely execute code if they know the associated cryptographic secrets.”).
• [T1068] Exploitation for Privilege Escalation – Used “Potatoes” techniques (EfsPotato and DeadPotato) to escalate privileges and create a hidden local administrator account (“…then leveraged privileges escalation techniques known as “Potatoes” (EfsPotato and DeadPotato) to create an additional “hidden” local administrator (admin$).”).
• [T1105] Ingress Tool Transfer – Deployed a ZIP archive (sys-tw-v1-6-1-clean-log.zip) containing modules, drivers and tools to the compromised hosts (“…the attackers relied on pre-packaged tools and scripts… initially deployed … as a ZIP archive”).
• [T1210] Exploitation of Trusted Relationship – Used a signed kernel driver (Wingtb.sys) signed with an older certificate to load a rootkit on Windows systems (“…The driver is signed with an expired code-signing certificate … may still be loaded on Windows systems…”).
• [T1547] Boot or Logon Autostart Execution – Installed a kernel driver and associated service to persist and hide artifacts (“…Hidden.inf defines the corresponding service name as “Wingtb”… lock.bat loads the driver and hides files and registry keys”).
• [T1566] Phishing (malicious use of web content) – Generated SEO HTML pages and redirects to boost visibility of dubious cryptocurrency sites, abusing search engine crawlers (“…generate SEO HTML pages to answer HTTP requests that come from Google… links to redirection URL paths … lead to questionable cryptocurrency-related websites.”).
• [T1106] Native API – Malicious IIS modules hook HTTP processing stages (GL_PRE_BEGIN_REQUEST, RQ_BEGIN_REQUEST, RQ_SEND_RESPONSE) to manipulate responses and implement C2 (“…hooks all HTTP requests … at the very first stage … uses the content of HTTP requests … as a command and control (C2) channel.”).
• [T1059] Command and Scripting Interpreter – Provided unauthenticated remote command execution via HTTP endpoints (/scjg) and upload form (/mywebdll) to execute Windows shell commands (“…file upload and Windows shell command execution capability … can be triggered without any sort of authentication when bypassing the form (/scjg URL path).”).
• [T1070] Indicator Removal on Host – Scripted deletion of Windows Event logs to cover tracks (“…the install process includes a noisy deletion of every single Windows Event log file… delete every Windows Event log file (for /f “tokens=*” %%1 in (‘wevtutil el’) do wevtutil cl “%%1″).”).