Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Anatomy of native IIS malware

August 7, 2021

ESET researchers publish a white paper placing IIS internet server threats beneath the microscope

ESET researchers have found a set of beforehand undocumented malware households, applied as malicious extensions for Web Info Companies (IIS) internet server software program. Concentrating on each authorities mailboxes and e-commerce transactions, in addition to aiding in malware distribution, this numerous class of threats operates by eavesdropping on and tampering with the server’s communications.

Together with a whole breakdown of the newly found households, our new paper, Anatomy of native IIS malware, offers a complete information to assist fellow safety researchers and defenders detect, dissect and mitigate this class of server-side threats. On this blogpost, we summarize the findings of the white paper.

At this time, we’re additionally launching a collection of blogposts the place we introduce essentially the most notable of the newly found IIS malware households, as case research of how any such malware is used for cybercrime, cyberespionage and website positioning fraud. In addition to this overview piece, you’ll be able to learn the primary of the three installments, IIStealer: A server-side threat to e-commerce transactions.

The findings of our IIS malware analysis have been first introduced at Black Hat USA 2021 and also will be shared with the neighborhood on the Virus Bulletin 2021 convention on October 8th.

IIS is Microsoft Home windows internet server software program with an extensible, modular structure that, since v7.0, helps two varieties of extensions – native (C++ DLL) and managed (.NET meeting) modules. Specializing in malicious native IIS modules, we’ve got discovered over 80 distinctive samples used within the wild and categorized them into 14 malware households – 10 of which have been beforehand undocumented. ESET safety options detect these households as Win{32,64}/BadIIS and Win{32,64}/Spy.IISniff.

How IIS malware operates

IIS malware is a various class of threats used for cybercrime, cyberespionage, and website positioning fraud – however in all instances, its primary objective is to intercept HTTP requests incoming to the compromised IIS server and have an effect on how the server responds to (a few of) these requests.

With the default set up, IIS itself is persistent, so there is no such thing as a want for extension-based IIS malware to implement further persistence mechanisms. As soon as configured as an IIS extension, the malicious IIS module is loaded by the IIS Employee Course of (w3wp.exe), which handles requests despatched to the server – that is the place IIS malware can intrude with the request processing.

We recognized 5 primary modes through which IIS malware operates, as illustrated in Determine 1:

  • IIS backdoors enable their operators to remotely management the compromised pc with IIS put in
  • IIS infostealers enable their operators to intercept common visitors between the compromised server and its authentic guests, to steal data akin to login credentials and cost data. Utilizing HTTPS doesn’t forestall this assault, as IIS malware can entry all information dealt with by the server – which is the place the info is processed in its unencrypted state.
  • IIS injectors modify HTTP responses despatched to authentic guests to serve malicious content material
  • IIS proxies flip the compromised server into an unwitting a part of the C&C infrastructure for one more malware household, and misuse the IIS server to relay communication between victims of that malware and the true C&C server
  • website positioning fraud IIS malware modifies the content material served to search engines like google to control SERP algorithms and enhance the rating for different web sites of curiosity to the attackers
Figure 1. Overview of IIS malware mechanisms

Determine 1. Overview of IIS malware mechanisms

All of those malware varieties are mentioned at size within the paper.

How (and the place) it spreads

Native IIS modules have unrestricted entry to any useful resource obtainable to the server employee course of – thus, administrative rights are required to put in native IIS malware. This significantly narrows down the choices for the preliminary assault vector. We have now seen proof for 2 situations:

  • IIS malware spreading as a trojanized model of a authentic IIS module
  • IIS malware spreading by means of server exploitation

For instance, between March and June 2021, we detected a wave of IIS backdoors unfold by way of the Microsoft Trade pre-authentication RCE vulnerability chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), aka ProxyLogon. Focused particularly have been Trade servers which have Outlook on the net (aka OWA) enabled – as IIS is used to implement OWA, these have been a very fascinating goal for espionage.

After our colleagues reported the primary such case in March 2021, we’ve got detected 4 extra campaigns of varied IIS backdoors spreading to Microsoft Trade servers by means of the identical vulnerability. To enrich our telemetry, we’ve got carried out internet-wide scans to detect the presence of those backdoors, which allowed us to determine and notify different victims of the malware.

Determine 2 reveals the geographical areas of servers affected by these 5 campaigns, utilizing information from our telemetry and internet-wide scans.

Figure 2. Victims of native IIS backdoors spread via the ProxyLogon vulnerability chain

Determine 2. Victims of native IIS backdoors unfold by way of the ProxyLogon vulnerability chain

The next entities have been among the many victims:

  • Authorities establishments in three nations in Southeast Asia
  • A serious telecommunications firm in Cambodia
  • A analysis establishment in Vietnam
  • Dozens of personal corporations in a spread of industries, situated largely in Canada, Vietnam and India, and others within the USA, New Zealand, South Korea, and different nations

Word that whereas IIS backdoors could also be well-suited for spying on high-profile mailboxes, victims of IIS malware will not be restricted to compromised servers – all authentic guests of the web sites hosted by these servers are potential targets, because the malware can be utilized to steal delicate information from the guests (IIS infostealers) or serve malicious content material (IIS injectors). Please seek advice from the complete white paper for the main points on the targets of the opposite analyzed IIS households.

The insides of native IIS malware

From the technical perspective, all varieties of native IIS malware are applied as dynamic-link libraries (DLLs), written utilizing the IIS C++ API. Any such DLL should:

  • Implement a category inherited from both the CHttpModule or CGlobalModule class (or each), and override numerous that class’s strategies (occasion handlers)
  • Export the RegisterModule operate, which is the library entry level, answerable for creating the situations of those lessons and registering the applied handlers for server occasions, as illustrated in Determine 3.
Figure 3. A typical RegisterModule function of native IIS malware

Determine 3. A typical RegisterModule operate of native IIS malware

Server occasions seek advice from the steps that the IIS server takes throughout request processing (see Determine 4), but additionally to different actions taken by the server (for instance, sending an HTTP response). These occasions generate occasion notifications, that are dealt with by occasion handlers applied within the server’s modules (see Determine 5).

Figure 4. HTTP request-processing pipeline in IIS

Determine 4. HTTP request-processing pipeline in IIS

Briefly, the occasion handlers (or the strategies of IIS module core lessons) are the place the IIS malware performance is applied and the place any reverse engineers ought to focus their evaluation. For a deep dive into IIS malware necessities and tips on how to analyze such binaries, seek advice from the Anatomy of native IIS malware part of our white paper.

Determine 5. Occasion handlers: strategies of the module lessons, CHttpModule and CGlobalModule

Community communication

A notable function of IIS malware is the way it communicates with its operators. Malicious IIS modules, particularly IIS backdoors, don’t normally create new connections to their C&C servers. They work as passive implants, permitting the attackers to regulate them by offering some “secret” in an HTTP request despatched to the compromised IIS internet server. That’s why IIS backdoors normally have a mechanism to acknowledge attacker requests which can be used to regulate the server and have a predefined construction, akin to:

  • URL or request physique matching a particular regex
  • A particular customized HTTP header current
  • An embedded token (within the URL, request physique or one of many headers) matching a hardcoded password
  • A hash worth of an embedded token matching a hardcoded worth
  • A extra complicated situation – for instance, a relationship between all the above
Figure 6. Passive C&C communication channel (IIS backdoors)

Determine 6. Passive C&C communication channel (IIS backdoors)

Alternatively, some IIS malware classes do implement an alternate C&C channel – utilizing protocols akin to HTTP or DNS – to acquire the present configuration on the fly. For instance, an IIS injector contacts its C&C server each time there’s a new request from a authentic customer of the compromised web site, and makes use of the server response to switch the content material served to that customer (akin to malicious code or adware).

Figure 7. Alternative C&C communication mechanism (IIS injectors)

Determine 7. Different C&C communication mechanism (IIS injectors)

Desk 1 summarizes how the C&C channels, in addition to different notable strategies, are applied by the 14 analyzed IIS malware households.

Desk 1. Abstract of obfuscations applied, and functionalities supported by analyzed IIS malware households

Group #
C&C channel
Detection evasion and obfuscation strategies
Backdoor Infostealer Proxy website positioning fraud Injector Attacker request verification (e.g. particular header current, particular URI, question string parameter) Encryption/
Different channel protocol
Group 1 HTTP header with hardcoded password base64
Group 2 HTTP header with hardcoded password RSA + AES-CBC
Group 3 HTTP header current base64
Group 4 HTTP header with hardcoded password XOR + base64 Anti-logging
Group 5 URI and HTTP header with hardcoded password String stacking
Group 6 Question string parameter
Group 7 Relationship between HTTP headers, HTTP physique format AES-CBC Anti-logging
Group 8 HTTP header with hardcoded password
Group 9 No help for attacker requests HTTP Encrypted strings (XOR 0x56)
Group 10 No help for attacker requests HTTP to acquire JavaScript config
Group 11 HTTP header with hardcoded password DNS TXT to acquire config, HTTP for C&C String encryption (ADD 0x02)
Group 12, variant A HTTP header with password whose MD5 hash is hardcoded HTTP String encryption (ADD 0x01)
Group 12, variant B HTTP UPX packing
Group 12, variant C No help for attacker requests HTTP String encryption (XOR 0x0C)
Group 13 Question string parameter HTTP
Group 14 No help for attacker requests HTTP


Since native IIS modules can solely be put in with administrative privileges, the attackers first have to acquire elevated entry to the IIS server. The next suggestions may assist make their work more durable:

  • Use devoted accounts with sturdy, distinctive passwords for the administration of the IIS server. Require multifactor authentication (MFA) for these accounts. Monitor the utilization of those accounts.
  • Repeatedly patch your OS, and thoroughly contemplate which providers are uncovered to the web, to scale back the chance of server exploitation.
  • Think about using an online software firewall, and/or endpoint safety resolution in your IIS server.
  • Native IIS modules have unrestricted entry to any useful resource obtainable to the server employee course of; you must solely set up native IIS modules from trusted sources to keep away from downloading their trojanized variations. Be particularly conscious of modules promising too-good-to-be-true options akin to magically bettering website positioning.
  • Repeatedly examine the IIS server configuration to confirm that each one the put in native modules are authentic (signed by a trusted supplier, or put in on objective).

For particulars on tips on how to detect and take away IIS malware, seek advice from the Mitigation part of the white paper. We’re additionally publishing a set of YARA rules which you could leverage to detect all of the 14 analyzed IIS malware households.


Web Info Companies internet servers have been focused by numerous malicious actors, for cybercrime and cyberespionage alike. The software program’s modular structure, designed to supply extensibility for internet builders, generally is a great tool for attackers to develop into part of the IIS server, and intercept or modify its visitors.

It’s nonetheless fairly uncommon for endpoint (and different) safety software program to run on IIS servers, which makes it straightforward for attackers to function unnoticed for lengthy intervals of time. This ought to be disturbing for all severe internet portals that need to defend their guests’ information, together with authentication and cost data. Organizations that use OWA also needs to concentrate, because it will depend on IIS and could possibly be an fascinating goal for espionage.

Whereas IIS server threats will not be restricted to native IIS malware, we consider this paper shall be a useful place to begin for defenders for understanding, figuring out, and eradicating IIS threats, and a information to our fellow researchers to reverse engineer this class of threats and perceive their frequent ways, strategies and procedures.

Further technical particulars on the malware and Indicators of Compromise may be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].

Acknowledgements to fellow ESET malware researchers Marc-Étienne Léveillé and Mathieu Tartare for his or her work on this investigation.

Posted in SecurityTags:
Write a comment