![]() ![]() ![]() Targeted specifically were Exchange servers that have Outlook on the web (aka OWA) enabled – as IIS is used to implement OWA, these were a particularly interesting target for espionage.Īfter our colleagues reported the first such case in March 2021, we have detected four more campaigns of various IIS backdoors spreading to Microsoft Exchange servers through the same vulnerability. IIS malware spreading through server exploitationįor example, between March and June 2021, we detected a wave of IIS backdoors spread via the Microsoft Exchange pre-authentication RCE vulnerability chain ( CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), aka ProxyLogon.IIS malware spreading as a trojanized version of a legitimate IIS module.This considerably narrows down the options for the initial attack vector. Native IIS modules have unrestricted access to any resource available to the server worker process – thus, administrative rights are required to install native IIS malware. ![]() Overview of IIS malware mechanismsĪll of these malware types are discussed at length in the paper. SEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackersįigure 1.IIS proxies turn the compromised server into an unwitting part of the C&C infrastructure for another malware family, and misuse the IIS server to relay communication between victims of that malware and the real C&C server.IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content.Using HTTPS doesn’t prevent this attack, as IIS malware can access all data handled by the server – which is where the data is processed in its unencrypted state. IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors, to steal information such as login credentials and payment information.IIS backdoors allow their operators to remotely control the compromised computer with IIS installed.We identified five main modes in which IIS malware operates, as illustrated in Figure 1: Once configured as an IIS extension, the malicious IIS module is loaded by the IIS Worker Process ( w3wp.exe), which handles requests sent to the server – this is where IIS malware can interfere with the request processing. With the default installation, IIS itself is persistent, so there is no need for extension-based IIS malware to implement additional persistence mechanisms. IIS malware is a diverse class of threats used for cybercrime, cyberespionage, and SEO fraud – but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests. ESET security solutions detect these families as Win/Spy.IISniff. Focusing on malicious native IIS modules, we have found over 80 unique samples used in the wild and categorized them into 14 malware families – 10 of which were previously undocumented. IIS is Microsoft Windows web server software with an extensible, modular architecture that, since v7.0, supports two types of extensions – native (C++ DLL) and managed (.NET assembly) modules. The findings of our IIS malware research were first presented at Black Hat USA 2021 and will also be shared with the community at the Virus Bulletin 2021 conference on October 8 th. Today, we are also launching a series of blogposts where we introduce the most notable of the newly discovered IIS malware families, as case studies of how this type of malware is used for cybercrime, cyberespionage and SEO fraud. In this blogpost, we summarize the findings of the white paper. Targeting both government mailboxes and e-commerce transactions, as well as aiding in malware distribution, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications.Īlong with a complete breakdown of the newly discovered families, our new paper, Anatomy of native IIS malware, provides a comprehensive guide to help fellow security researchers and defenders detect, dissect and mitigate this class of server-side threats. ESET researchers publish a white paper putting IIS web server threats under the microscopeĮSET researchers have discovered a set of previously undocumented malware families, implemented as malicious extensions for Internet Information Services (IIS) web server software.
0 Comments
Leave a Reply. |