Several Malware Families Targeting IIS Web Servers With Malicious Modules

Several Malware Families Targeting IIS Web Servers With Malicious Modules

A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years.

The findings were presented today by ESET malware researcher Zuzana Hromcova at the Black Hat USA security conference.

"The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed," Hromcova told in an interview with The Hacker News. "Their motivations range from cybercrime to espionage, and a technique called SEO fraud."

IIS is an extensible web server software developed by Microsoft, enabling developers to take advantage of its modular architecture to incorporate additional IIS modules that expand on its core functionality.

"It comes as no surprise that the same extensibility is attractive for malicious actors – to intercept network traffic, steal sensitive data or serve malicious content," according to a ESET report shared with The Hacker News.

"Moreover, it is quite rare for endpoint (and other) security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors' data, including authentication and payment information."

IIS malware phases

By collecting over 80 malware samples, the study grouped them into 14 unique families (Group 1 to Group 14), most of which were detected for the first time between 2018 and 2021 and are undergoing active development to date. While they may not exhibit any connection to one another, what's common among all the 14 malware families is that they are all developed as malicious native IIS modules.

"In all cases, the main purpose of IIS malware is to process HTTP requests incoming to the compromised server and affect how the server responds to (some of) these requests – how they are processed depends on malware type," Hromcova explained. The malware families have been found to operate in one of the five modes -

  • Backdoor mode - remotely control the compromised computer with IIS installed
  • Infostealer mode - intercept regular traffic between the compromised server and its legitimate visitors, to steal information such as login credentials and payment information
  • Injector mode - modify HTTP responses sent to legitimate visitors to serve malicious content
  • Proxy mode - turn the compromised server into an unwitting part of command-and-control (C2) infrastructure for another malware family, and relay communication between victims and the actual C2 server
  • SEO fraud mode - modify the content served to search engine crawlers in order to artificially boost ranking for selected websites (aka doorway pages)

Infections involving IIS malware typically hinge on server administrators inadvertently installing a trojanized version of a legitimate IIS module or when an adversary is able to get access to the server by exploiting a configuration weakness or vulnerability in a web application or the server, using it to install the malware-laced IIS module.

infostealing mechanism

Indeed, after Microsoft released out-of-band patches for ProxyLogon flaws affecting Microsoft Exchange Server 2013, 2016, and 2019 earlier this March, it was not long before multiple advanced persistent threat (APT) groups joined in the attack frenzy, with ESET observing four email servers located in Asia and South America that were compromised to deploy web shells that served as a channel to install IIS backdoors.

This is far from the first time Microsoft web server software has emerged a lucrative target for threat actors. Last month, researchers from Israeli cybersecurity firm Sygnia disclosed a series of targeted cyber intrusion attacks undertaken by an advanced, stealthy adversary known as Praying Mantis targeting internet-facing IIS servers to infiltrate high-profile public and private entities in the U.S.

To prevent compromise of IIS servers, it's recommended to use dedicated accounts with strong, unique passwords for administration-related purposes, install native IIS modules only from trusted sources, reduce the attack surface by limiting the services that are exposed to the internet, and use a web application firewall for an extra layer of security.

"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," Hromcova said. "We haven't seen anything like that before."