Wave of native IIS malware hits Windows servers

Security researchers warn that multiple groups are compromising Windows web servers and are deploying malware programs that are designed to function as extensions for Internet Information Services (IIS). Such malware was deployed this year by hackers exploiting Microsoft Exchange zero-day vulnerabilities, but a total of 14 groups have been observed using native IIS backdoors and information stealers in recent years.

“IIS malware is a diverse class of threats used for cybercrime, cyberespionage, and SEO fraud – but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests,” researchers from security vendor ESET said in a recent report.

In total, the company has observed over 80 samples of malicious IIS extensions that belong to 14 distinct malware families, ten of which were previously undocumented.

The many uses of IIS malware

Microsoft’s web server, known as IIS, supports modules that are either implemented as DLLs (native) or are written in .NET (managed). Since native modules are loaded by the IIS Worker Process, which starts automatically, there is no need for attackers to implement any other persistence mechanisms for their malware. The modules have unrestricted access to all resources available to the worker process, so they are very powerful.

The ESET researchers have seen malicious IIS extensions that function as:

Backdoors, giving attackers control over the compromised server
Infostealers, intercepting regular web traffic between users and the server to steal login credentials, payment information and other sensitive data
Traffic injectors, modifying HTTP responses to redirect visitors to malicious content
Proxies, to turn the compromised servers into traffic relays between other malware programs and their real command-and-control servers
SEO fraud bots, modifying content served to search engine in order to artificially boost the SERP ranking of other websites

Server-side exploits and social engineering

Installing and configuring native IIS modules requires administrative privileges, so to deploy such malware attackers exploit vulnerabilities in servers that provide them with this level of access. “Between March and June 2021, we detected a wave of IIS backdoors spread via the Microsoft Exchange pre-authentication RCE vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), aka ProxyLogon,” the ESET researchers said. “Targeted specifically were Exchange servers that have Outlook on the web (aka OWA) enabled – as IIS is used to implement OWA, these were a particularly interesting target for espionage.”

The antivirus firm detected IIS backdoors that were deployed in this campaign on servers belonging to government institutions from three countries in Southeast Asia, a major telecommunications company in Cambodia, a research institution in Vietnam and dozens of private companies from the US, Canada, Vietnam, India, New Zealand, South Korea and other countries.

The same Exchange vulnerabilities were used by cyberespionage group Hafnium, which the US government linked to China’s Ministry of State Security (MSS), to compromise servers belonging to thousands of organizations and infect them with web shell. The attacks were so severe and widespread that the FBI obtained a rare search and seizure warrant that allowed it to actively access the hacked servers and clean the infections.

In addition to deployment through server exploitation, IIS malware is also distributed through social engineering by hiding it as Trojanized versions of legitimate IIS modules and relying on unwitting administrators to install them, the researchers said.

Detecting IIS malware

Unlike other malware programs that actively reach out to command-and-control servers to receive instructions, IIS malware has a passive communication channel enabled by the web server itself. Since they hook into the worker process, attackers can control them by sending specifically crafted HTTP requests to the web server.

Researchers observed attackers sending commands to IIS backdoors by generating specific URLs or request bodies that matched hardcoded regular expressions, sending requests with custom HTTP headers or specific tokens embedded in the URL, request body or headers. That said, IIS malware that redirects visitors to malicious websites or serves malicious content does usually reach out to remote servers in real time in order to obtain configurations.

To prevent and detect IIS malware the ESET researchers make the following recommendations:

Use dedicated accounts with strong, unique passwords for the administration of the IIS server. Require multifactor authentication (MFA) for these accounts. Monitor the usage of these accounts.
Regularly patch your OS and carefully consider which services are exposed to the internet to reduce the risk of server exploitation.
Consider using a web application firewall or endpoint security solution on your IIS server.
Native IIS modules have unrestricted access to any resource available to the server worker process, so install only native IIS modules from trusted sources to avoid downloading their Trojanized versions. Be especially aware of modules promising too-good-to-be-true features such as magically improving SEO.
Regularly check the IIS server configuration to verify that all the installed native modules are legitimate (signed by a trusted provider or installed on purpose).

Some IIS malware can be transient, leaving few traces behind. Researchers from security firm Sygnia recently reported that a state-sponsored threat actor dubbed Praying Mantis relies on a malware framework developed for IIS and uses reflective loading techniques to load the malware directly in the memory of the IIS worker process. Such infections live only in RAM and would normally disappear if the server process is restarted, but web servers are rarely restarted because they’re designed to have stable uptimes. Praying Mantis deploys its malware by exploiting deserialization flaws in ASP.NET applications.