The threat actor always compromises the Windows IIS server, which they have to add with the expired certificate notification page, which always prompts visitors to download the malicious fake installer.
Internet Information Service included all the Windows versions from Windows 2000 to server 2003.
The message indicates the malicious certificate expiration error that detects the potential security risk. This has not been extended in the transition. It gets the security certificate that allows this to succeed.
When it is a Malwarebytes Threat Intelligence security researchers have to observe where the malware gets installed via fake update and the Digicert certificate signs this.
#FakeCertificate campaign via compromised IIS sites.Payload (TVRAT)223d8c94877ac7e689733ab7131b749393c7570c2653cd1955f5cb2b4d68deae pic.twitter.com/MPip1Jb7K6
— Malwarebytes Threat Intelligence (@MBThreatIntel) September 20, 2021
In this, the payload got dropped with the infected system where TVRAT is designed to provide the operator with full remote access with an infected host. Once it gets to deploy in the infected device, this malware will silently install the TeamViewer remote control software.
Teamviewer on the infected cost
After it gets launched the Team Viewer server can reach the command-and-control (C2) and the attacker knows that they can remotely control with the newly compromised computer. TVRAT firstly gets surfaced in 2013, where it got delivered via spam and was campaigning with the malicious attachment, which got targeted with the office macros.
About IIS Servers (Includes Vulnerable and Targeted)
When this method gets used, attackers compromise the IIS server, and they can have various ways to breach the Windows IIS server.
Exploit code targets the critical wormable vulnerability found in HTTP Protocol used by the Windows IIS web server and is publicly available since May.
Microsoft always patched the security flaw where the Windows Server version has to be 2004/20H2. The State-sponsor level threat actor has the leverage of various other exploits that get compromised by the internet-facing which happens mostly with the deserialization attack with a load of complete volatile.
