IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New malware plants backdoor on Microsoft web server software

IIS target of hackers looking to enter victim’s infrastructure

Security researchers have discovered malware that can install a backdoor on Microsoft’s web server software Internet Information Services (IIS).

Dubbed IISpy, the malware uses various means to interfere with the server’s logging and evade detection so it can perform long-term espionage.

Researchers said the backdoor has been active since at least July 2020 and has been used with Juicy Potato, a privilege escalation tool. 

“We suspect the attackers first obtain initial access to the IIS server via some vulnerability and then use Juicy Potato to obtain the administrative privileges that are required to install IISpy as a native IIS extension,” said researchers.

Investigations unearthed the malware popping up on IIS servers in Canada, the US, and the Netherlands. Researchers suspect more servers have been compromised but said that since it is not common for administrators to use security software on servers, visibility into IIS servers is limited.

IISpy is configured as an IIS extension and can see all the HTTP requests received by the compromised IIS server and shape the HTTP response the server will answer with. 

“IISpy uses this channel to implement its C&C communication, which allows it to operate as a passive network implant,” said researchers. Hackers start a connection by sending a special HTTP request to the compromised server. The backdoor recognizes the attacker's request, extracts, and executes the embedded backdoor commands, and modifies the HTTP response to include the command output.

Related Resource

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Five essentials from your endpoint security partner - title against a background of blue circles - whitepaper from MalwarebytesDownload now

The backdoor enables hackers to get system information, upload and download data, execute files or shell commands, and more. The malware ignores all legitimate visitors HTTP requests sent to the compromised IIS server — the benign server modules handle these.

IISpy is written using the IIS C++ API and uses instances of IHttpContext, IHttpRequest, and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.

An anti-logging feature also implements the OnLogRequest event handler – called right before the IIS server logs a processed HTTP request. The backdoor uses this handler to modify the log entries for requests coming from the attackers to make them look like casual requests, according to researchers.

Researchers said organizations that handle sensitive data on their servers should watch for this malware. In particular, organizations using Outlook on the web (OWA) service on their Exchange email servers.

“OWA is implemented via IIS and makes an interesting target for espionage. In any case, the best way to keep IISpy out of your servers is to keep them up to date, and carefully consider which services are exposed to the internet, to reduce the risk of server exploitation,” they added.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022

Most Popular

The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022