New malware plants backdoor on Microsoft web server software
IIS target of hackers looking to enter victim’s infrastructure
Dubbed IISpy, the malware uses various means to interfere with the server’s logging and evade detection so it can perform long-term espionage.
Researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool.
“We suspect the attackers first obtain initial access to the IIS server via some vulnerability and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension,” said researchers.
Investigations unearthed the malware popping up on IIS servers in Canada, the US, and the Netherlands. Researchers suspect more servers have been compromised but said that since it is not common for administrators to use security software on servers, visibility into IIS servers is limited.
IISpy is configured as an IIS extension and can see all the HTTP requests received by the compromised IIS server and shape the HTTP response the server will answer with.
“IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant,” said researchers. Hackers start a connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker's request, extracts, and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.
The five essentials from your endpoint security partner
Empower your MSP business to operate efficientlyDownload now
The backdoor enables hackers to get system information, upload and download data, execute files or shell commands, and more. The malware ignores all legitimate visitors HTTP requests sent to the compromised IIS server — the benign server modules handle these.
IISpy is written using the IIS C++ API and uses instances of IHttpContext, IHttpRequest, and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.
An anti-logging feature also implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests, according to researchers.
Researchers said organizations that handle sensitive data on their servers should watch for this malware. In particular, organizations using Outlook on the web (OWA) service on their Exchange email servers.
“OWA is implemented via IIS and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation,” they added.
The definitive guide to warehouse efficiency
Get your free guide to creating efficiencies in the warehouseFree download
The total economic impact™ of Datto
Cost savings and business benefits of using Datto Integrated SolutionsDownload now
Three-step guide to modern customer experience
Support the critical role CX plays in your businessFree download
The global state of the channelDownload now