Tuesday, March 18, 2025
Homecyber securityNew C++-Based IIS Malware Mimics cmd.exe to Evade Detection

New C++-Based IIS Malware Mimics cmd.exe to Evade Detection

Published on

SIEM as a Service

Follow Us on Google News

A recent discovery by Palo Alto Networks’ Unit 42 has shed light on sophisticated malware targeting Internet Information Services (IIS) servers.

This malware, developed in C++/CLI, a rare choice for malware authors, has been designed to mimic the behavior of cmd.exe to evade detection.

The malware operates as a passive backdoor, integrating itself into the IIS server by registering for HTTP response events.

It filters incoming HTTP requests for specific headers, which are used to execute commands.

The commands and data are encrypted using AES and then Base64-encoded, adding a layer of complexity to its operations.

Technical Analysis

The malware has two versions, both of which were uploaded to VirusTotal from Thailand.

The newer version, compiled on May 9, 2023, employs a custom cmd.exe wrapper tool to execute commands, reducing the visibility of its activities by avoiding direct cmd.exe invocation from the IIS process.

IIS Malware
 IIS backdoor event handler as shown by dnSpyEx.

This wrapper application is embedded within the malware and communicates via a named pipe, allowing it to redirect command-line commands from the command and control (C2) server and return results.

The malware supports a range of commands, including file management, process execution, and system information retrieval.

According to the Report, it also patches AMSI and ETW routines to evade detection by security software.

The use of C++/CLI for this malware is notable due to its rarity in the malware landscape.

This choice likely stems from the language’s ability to combine managed and unmanaged code, making analysis more challenging.

The malware’s sophistication and targeted nature suggest it may have been used in specific attacks, although attribution to a known threat actor remains elusive.

Detection and Protection

Palo Alto Networks’ Advanced WildFire and Cortex XDR/XSIAM solutions offer enhanced protection against this malware by leveraging memory analysis and behavioral threat protection.

These tools can identify and block both known and unknown malware, providing a robust defense mechanism against such sophisticated threats.

As the cybersecurity landscape continues to evolve, staying informed about emerging threats and employing advanced security solutions is crucial for organizations seeking to protect their infrastructure.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by...

Hackers Use DLL Side-Loading to Deploy Malicious Python Code

A recent discovery by Xavier Mertens, a senior handler at the Internet Storm Center,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by...