Malicious IIS extensions are gaining popularity among cybercriminals due to persistent access


Threat actors are increasingly misusing Internet Information Services (IIS) extensions for backdoor servers as a means of establishing a “durable persistence mechanism”.

That is according to a new warning from the Microsoft 365 Defender Research Team, who said that “IIS backdoors are also more difficult to detect because they are usually in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.”

Attack chains that take this approach begin by weaponizing a critical vulnerability in the hosted first-access application, using this support to drop a scripted web shell as the first-stage payload.

This web shell then becomes the channel for installing a rogue IIS module to provide top-secret and permanent access to the server, in addition to monitoring incoming and outgoing requests and executing remote commands.

Indeed, earlier this month, Kaspersky researchers announced a campaign by the Gelsemium group, which appeared to take advantage of the ProxyLogon Exchange Server flaws to launch a piece of IIS malware called SessionManager.

Another set of attacks observed by the tech giant between January and May 2022 involved attacking Exchange servers with web shells using an exploit for the ProxyShell flaws, ultimately leading to the deployment of a backdoor called “FinanceSvcModel.dll”. , but not for a period of exploration.

“The backdoor had built-in capabilities to perform Exchange administration operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration,” explains security researcher Hardik Suri.

To mitigate such attacks, it is recommended to apply the latest security updates for server components as soon as possible, keep antivirus and other protections enabled, assess sensitive roles and groups, and restrict access by granting least privilege. fit and maintain good hygiene of references .