As opposed to web shells, malicious extensions for the IIS web server have a lower detection rate, which means attackers are increasingly using them to backdoor unpatched Exchange servers.
Since they can be hidden deep within a compromised server, and are often very difficult to detect. As they are installed in the same location as legitimate modules and use the same structure, attackers can provide themselves with the perfect and durable persistence mechanism that they need.
Since they use the same structure as legitimate modules in order to achieve the same effect as legitimate modules. The actual mechanism used to create a backdoor is usually quite minimal and the logic is not regarded as malicious in most cases.
It is rare that attackers will use unpatched security flaws in an app that is hosted to inject such malicious extensions into a server after successfully compromising it.
These types of attacks are usually deployed after the initial payload for the attack is deployed, usually a web shell. Later on, the IIS module is deployed on the compromised server so that it can be accessed more stealthily and persistently.
Previously, Microsoft experienced the installation of custom IIS backdoors after hackers exploited the following products:-
There are several things that can be harvested by malicious IIS modules once they have been deployed, and here they are listed below:-
Here below we have mentioned all the types of IIS backdoors:-
As a result of Kaspersky’s recent analysis of IIS extensions delivered onto Microsoft Exchange servers, it has been observed that malware performs the following actions:-
It has been at least since March 2021 that a similar piece of IIS malware has been detected in the wild, and this malware is referred to as SessionManager.
It is recommended that you consider the following mitigations in order to protect your system against attacks that use malicious IIS modules:-
The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…
Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…
The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…
Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…
A security researcher discovered a vulnerability in Windows theme files in the previous year, which…
The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…