IIS malware presents diverse, persistent, and growing threats from old and new threat actors. Credit: Matejmo / Getty Images Security researchers warn that multiple groups are compromising Windows web servers and are deploying malware programs that are designed to function as extensions for Internet Information Services (IIS). Such malware was deployed this year by hackers exploiting Microsoft Exchange zero-day vulnerabilities, but a total of 14 groups have been observed using native IIS backdoors and information stealers in recent years.“IIS malware is a diverse class of threats used for cybercrime, cyberespionage, and SEO fraud – but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests,” researchers from security vendor ESET said in a recent report.In total, the company has observed over 80 samples of malicious IIS extensions that belong to 14 distinct malware families, ten of which were previously undocumented. The many uses of IIS malwareMicrosoft’s web server, known as IIS, supports modules that are either implemented as DLLs (native) or are written in .NET (managed). Since native modules are loaded by the IIS Worker Process, which starts automatically, there is no need for attackers to implement any other persistence mechanisms for their malware. The modules have unrestricted access to all resources available to the worker process, so they are very powerful. The ESET researchers have seen malicious IIS extensions that function as:Backdoors, giving attackers control over the compromised serverInfostealers, intercepting regular web traffic between users and the server to steal login credentials, payment information and other sensitive dataTraffic injectors, modifying HTTP responses to redirect visitors to malicious contentProxies, to turn the compromised servers into traffic relays between other malware programs and their real command-and-control serversSEO fraud bots, modifying content served to search engine in order to artificially boost the SERP ranking of other websitesServer-side exploits and social engineeringInstalling and configuring native IIS modules requires administrative privileges, so to deploy such malware attackers exploit vulnerabilities in servers that provide them with this level of access. “Between March and June 2021, we detected a wave of IIS backdoors spread via the Microsoft Exchange pre-authentication RCE vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), aka ProxyLogon,” the ESET researchers said. “Targeted specifically were Exchange servers that have Outlook on the web (aka OWA) enabled – as IIS is used to implement OWA, these were a particularly interesting target for espionage.” The antivirus firm detected IIS backdoors that were deployed in this campaign on servers belonging to government institutions from three countries in Southeast Asia, a major telecommunications company in Cambodia, a research institution in Vietnam and dozens of private companies from the US, Canada, Vietnam, India, New Zealand, South Korea and other countries.The same Exchange vulnerabilities were used by cyberespionage group Hafnium, which the US government linked to China’s Ministry of State Security (MSS), to compromise servers belonging to thousands of organizations and infect them with web shell. The attacks were so severe and widespread that the FBI obtained a rare search and seizure warrant that allowed it to actively access the hacked servers and clean the infections.In addition to deployment through server exploitation, IIS malware is also distributed through social engineering by hiding it as Trojanized versions of legitimate IIS modules and relying on unwitting administrators to install them, the researchers said.Detecting IIS malwareUnlike other malware programs that actively reach out to command-and-control servers to receive instructions, IIS malware has a passive communication channel enabled by the web server itself. Since they hook into the worker process, attackers can control them by sending specifically crafted HTTP requests to the web server.Researchers observed attackers sending commands to IIS backdoors by generating specific URLs or request bodies that matched hardcoded regular expressions, sending requests with custom HTTP headers or specific tokens embedded in the URL, request body or headers. That said, IIS malware that redirects visitors to malicious websites or serves malicious content does usually reach out to remote servers in real time in order to obtain configurations.To prevent and detect IIS malware the ESET researchers make the following recommendations: Use dedicated accounts with strong, unique passwords for the administration of the IIS server. Require multifactor authentication (MFA) for these accounts. Monitor the usage of these accounts.Regularly patch your OS and carefully consider which services are exposed to the internet to reduce the risk of server exploitation.Consider using a web application firewall or endpoint security solution on your IIS server.Native IIS modules have unrestricted access to any resource available to the server worker process, so install only native IIS modules from trusted sources to avoid downloading their Trojanized versions. Be especially aware of modules promising too-good-to-be-true features such as magically improving SEO.Regularly check the IIS server configuration to verify that all the installed native modules are legitimate (signed by a trusted provider or installed on purpose).Some IIS malware can be transient, leaving few traces behind. Researchers from security firm Sygnia recently reported that a state-sponsored threat actor dubbed Praying Mantis relies on a malware framework developed for IIS and uses reflective loading techniques to load the malware directly in the memory of the IIS worker process. Such infections live only in RAM and would normally disappear if the server process is restarted, but web servers are rarely restarted because they’re designed to have stable uptimes. Praying Mantis deploys its malware by exploiting deserialization flaws in ASP.NET applications. Related content news analysis Marriott admits it falsely claimed for five years it was using encryption during 2018 breach Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained. By Evan Schuman Apr 29, 2024 6 mins Data Breach Encryption Legal brandpost Sponsored by Palo Alto Networks Is your hybrid/multicloud strategy putting your organization at risk? For all the flexibility and cost management upsides to hybrid/multicloud infrastructure, there is a major trade-off: Complexity can breed security risks. By Pete Bartolik Apr 29, 2024 4 mins Security news UK’s revamped surveillance rules become law despite industry opposition A new law expanding the Investigatory Powers Act, the UK’s already-controversial surveillance and data access rules, became law last week. By John Leyden Apr 29, 2024 4 mins Government Mobile Security Security feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe