This Malware Can Completely Control the Compromised IIS Server

Intrusion Team
Sep 24, 2021

Increasing cyberattacks over the past several years and more governing compliance guidelines make securing web applications a crucial task for organizations. While concentrating on securing web applications, many don’t realize that it is essential to secure the entire web infrastructure, including the web servers. But what if the web servers are not secure and the attackers gain control over them?Microsoft Internet Information Services (IIS) and Apache web servers among others have long been targets of cybercriminals and hackers in general. It was sometimes even entertaining to watch the website defacing skills of script kiddies back in the day as they usually had some artistic skills and interesting messaging.That was all made possible through unsecured websites on unsecured web servers.

Have you heard of the IIS Malware?

The malware targeting the Internet Information Services (IIS) of Microsoft is not new and dates back to 2013 when Microsoft Vista introduced IIS 7.0. Security researchers have constantly warned organizations about various threat groups jeopardizing Window’s Web servers by deploying IIS-specific malware. Similar malware was seen earlier this year to exploit the Zero-Day vulnerability in the Microsoft Exchange Server. Researchers had collected around 80 samples, which were grouped into 14 malware families. Most of the IIS malware were detected between 2018 and 2021 and are highly active to date.

What is IIS Malware?

The IIS malware is similar to other malware, and organizations should not worry if they have malware detection solutions within their infrastructure. The purpose of the IIS malware is for cyberespionage and SEO fraud. It should be a concern to organizations when the IIS is installed without providing sufficient security. The web servers’ administrators overlook the need to install security, which encourages the attackers to hide in the server and go undetected for a more extended period.

The IIS malware had not been efficiently documented for many years, but ESET researchers recently discovered nearly 14 malware groups used as IIS information stealers and backdoors. No ties between the attackers have been observed, but their patterns are similar as they all have the native malicious IIS module. Researchers identified the IIS malware on the server-side. The malware does two main things:

  1. inspect and intercept all the data directed towards the server, and
  2. take advantage of the requests as they are processed on the server.

How does this Malware Work?

Researchers have identified five different modes in which the threat actors have been using the IIS malware. We found the following three interesting:

  1. IIStealer
    The IIStealer mode uses a malicious extension for the Microsoft web-server, whose purpose is to steal the data of their interest – primarily financial payment data of e-commerce websites sent to these servers that don’t use a third-party payment gateway. It intercepts the usual HTTP traffic between the infected server-client by targeting the HTTP Post request made to any particular URL. The IIStealer registers the HTTP request made by the client into certain logs and does not interfere with the legitimate HTTP reply sent back to the client. But the threat actors exfiltrate the sensitive data from the logs by making special HTTP requests.
  2. IISerpent
    When the threat actors use the IISerpent mode for SEO fraud, it can potentially change the information served to SEO crawlers to raise the ranking of the websites of the attacker’s interest. It is a server-side trojan that is used to steal sensitive information like user login credentials and payment details.
  3. IISpy
    The IISpy mode can remotely operate compromised systems after installing backdoors that use anti-forensic techniques. Some attackers also use IIS injectors to modify HTTP responses by serving malicious content to the legitimate users’ requests. The IIS proxies turn the compromised server into C2 for additional malware.

Protect yourself from Malware Attacks

This is not the first time Microsoft’s IIS web server has manifested itself as a fruitful target for threat actors. In the last month, An Israeli organization discovered that a sophisticated threat actor had deployed file-less malware into the public ASP.NET apps by exploiting the deserialization flaws. They speculate that Praying Mantis, the threat actor behind these attacks, is state-sponsored and targeting public and private organizations in the United States. Praying Mantis uses malware that is developed for IIS and loads the malware straight into the memory of the IIS worker process.

  • Use strong passwords. We always advise that web-server administrators use strong and unique passwords for their IIS and regularly patch their operating systems when updates are rolled out. This reduces the risk of the server being exploited by external threats.
  • Download the native IIS modules only from trusted sources. Threat actors could manipulate modules intended for upload on third-party unreliable websites, much like a supply chain attack such as Solar Winds.

While a good way to prevent such threats is to rely on powerful endpoint security solutions with cutting-edge technology, we also highly recommend a bidirectional, Zero Trust IDPS at the network level.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.