New malware plants backdoor on Microsoft web server software

IIS target of hackers looking to enter victim’s infrastructure

Security researchers have discovered malware that can install a backdoor on Microsoft’s web server software Internet Information Services (IIS).

Dubbed IISpy, the malware uses various means to interfere with the server’s logging and evade detection so it can perform long-term espionage.

Researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool. 

“We suspect the attackers first obtain initial access to the IIS server via some vulnerability and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension,” said researchers.

Investigations unearthed the malware popping up on IIS servers in Canada, the US, and the Netherlands. Researchers suspect more servers have been compromised but said that since it is not common for administrators to use security software on servers, visibility into IIS servers is limited.

IISpy is configured as an IIS extension and can see all the HTTP requests received by the compromised IIS server and shape the HTTP response the server will answer with. 

“IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant,” said researchers. Hackers start a connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker's request, extracts, and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.

Related Resource

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Five essentials from your endpoint security partner - title against a background of blue circles - whitepaper from MalwarebytesDownload now

The backdoor enables hackers to get system information, upload and download data, execute files or shell commands, and more. The malware ignores all legitimate visitors HTTP requests sent to the compromised IIS server — the benign server modules handle these.

IISpy is written using the IIS C++ API and uses instances of IHttpContext, IHttpRequest, and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.

An anti-logging feature also implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests, according to researchers.

Researchers said organizations that handle sensitive data on their servers should watch for this malware. In particular, organizations using Outlook on the web (OWA) service on their Exchange email servers.

“OWA is implemented via IIS and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation,” they added.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update
cyber security

Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update

12 Jan 2022
Windows 11 problems and how to fix them
Microsoft Windows

Windows 11 problems and how to fix them

7 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022