Dark Web Spotlight: Praying Mantis Style Malware

Praying Mantis, a sophisticated and likely government-sponsored threat actor, has targeted important public and private organizations. Their M.O. exploited deserialization flaws in ASP.NET applications to spread fileless malware. Praying Mantis is highly secretive, using volatile purpose-built malware for credential harvesting and lateral spread.  The malware used by Praying Mantis has an intense focus on avoiding detection. It interferes with logging mechanisms, avoiding endpoint detection and response (EDRs) by not connecting to a command server and sending continuous data back. Afterward, the threat actor removes disk-resident tools trading persistence for secrecy.  Detection and prevention strategies are being developed, namely patching .NET deserialization vulnerabilities, scanning internet-facing IIS servers, and actively hunting for suspicious activity. The Australian government’s Cyber Security Center (ACSC) published a report containing indicators of compromise and attack techniques that partially overlap with the Praying Mantis M.O.  CybelAngel Asset Discovery and Monitoring can assist in locating vulnerable servers and assets to help avoid malware infection.