.webp?w=696&resize=696,0&ssl=1 "IIS Exploits")
Cybersecurity researchers from Unit 42 have uncovered a sophisticated campaign by an initial access broker (IAB) group dubbed TGR-CRI-0045, which exploits leaked cryptographic keys to gain unauthorized access to organizations running ASP.NET websites.
The threat actors leverage compromised Machine Keys to execute malicious payloads directly in server memory, enabling them to maintain stealthy access while minimizing forensic traces.
Active since October 2024, the group has primarily targeted organizations across Europe and the United States in sectors including financial services, manufacturing, retail, high technology, and transportation.
Sophisticated Memory-Based Attack Technique
TGR-CRI-0045 employs ASP.NET View State deserialization attacks, a technique that exploits the way web applications handle data between client-server interactions.
The attackers utilize publicly available lists of compromised Machine Keys cryptographic components that protect ASP.NET View States from manipulation to craft malicious deserialization payloads that bypass built-in security protections.
The group deploys tools like ysoserial.net to generate these payloads, which are then executed using the XamlAssemblyLoadFromFile gadget.
This approach allows the attackers to load and execute .NET assemblies directly in memory from Base64-encoded data contained within HTTP parameters.
The exploitation follows a “single-shot” model, requiring separate attempts for each command execution, resulting in a 1:1 ratio of exploit attempts to command executions.
Investigators recovered five distinct .NET assemblies used by the group, including command execution modules, file upload and download capabilities, exploitation verification tools, and reflective loaders.
These modules utilize simple single-character XOR encryption and terminate HTTP responses to reduce forensic artifacts, making detection significantly more challenging for traditional security tools.
Attribution and Escalating Activity
Security researchers attribute TGR-CRI-0045 to Gold Melody (also known as UNC961 or Prophet Spider) with medium confidence based on overlapping indicators of compromise, tactics, techniques, procedures, and victimology patterns.
The group demonstrates an opportunistic approach consistent with IAB operations, where initial access is sold to other threat actors for further exploitation.
The threat actors employ additional post-exploitation tools, including a custom privilege escalation binary named “updf” that disguises itself as legitimate PDF editing software while utilizing the GodPotato exploit to achieve SYSTEM-level access.
They also deploy TxPortMap, a Golang-based port scanner for network reconnaissance, and consistently use “C:\Windows\Temp\111t” as their staging directory for tools and exfiltrated data.
Activity surged significantly between late January and March 2025, with Unit 42 identifying or responding to incidents at approximately twelve organizations.
The in-memory nature of these attacks enables extended dwell times and persistent access, as remediation typically requires generating new Machine Keys or decommissioning the affected servers.
Organizations are strongly advised to review Microsoft’s guidance on identifying and remediating compromised Machine Keys for ASP.NET Internet Information Services sites to protect against these sophisticated attacks.
.webp?resize=1600,900&ssl=1&description=IIS Exploits - Cybersecurity researchers from Unit 42 have uncovered a sophisticated campaign by an IAB group dubbed TGR-CRI-0045){kind=link}