Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

IISpy: A complex server‑side backdoor with anti‑forensic features

August 10, 2021

The second in our collection on IIS threats dissects a malicious IIS extension that employs nifty methods in an try to safe long-term espionage on the compromised servers

ESET researchers have found and analyzed a beforehand undocumented backdoor, applied as an extension for Web Info Companies (IIS), Microsoft’s internet server software program. The backdoor, which we named IISpy, makes use of a wide range of methods to intrude with the server’s logging and to evade detection, with the intention to carry out long-term espionage. IISpy is detected by ESET safety options as Win{32,64}/BadIIS.

This blogpost is the second installment in our collection the place ESET researchers put IIS internet server threats underneath the microscope – the previous part discusses IIS malware used for cybercrime. For a complete information to tips on how to detect, analyze and take away IIS malware, seek advice from our white paper Anatomy of native IIS malware, the place IISpy is featured as one of many studied households (Group 7).

Assault overview

In response to ESET telemetry, this backdoor has been energetic since no less than July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET safety options), which is a privilege escalation device. We suspect the attackers first receive preliminary entry to the IIS server by way of some vulnerability, after which use Juicy Potato to acquire the executive privileges which are required to install IISpy as a local IIS extension.

In response to our telemetry, IISpy impacts a small variety of IIS servers positioned in Canada, the USA and the Netherlands – however that is possible not the complete image, as it’s nonetheless frequent for directors to not use any safety software program on servers, and thus our visibility into IIS servers is proscribed.

As a result of IISpy is configured as an IIS extension, it could see all of the HTTP requests obtained by the compromised IIS server, and form the HTTP response that the server will reply with. IISpy makes use of this channel to implement its C&C communication, which permits it to function as a passive community implant. As proven in Determine 1, the operator (not the backdoor) initiates the connection by sending a particular HTTP request to the compromised server. The backdoor acknowledges the attacker request, extracts and executes the embedded backdoor instructions, and modifies the HTTP response to incorporate the command output.

The next backdoor instructions are supported:

  • Get system info
  • Add/obtain information
  • Execute information or shell instructions
  • Create a reverse shell
  • Create/checklist/transfer/rename/delete information and folders
  • Create a mapping between an area and a distant drive
  • Exfiltrate collected knowledge

IISpy ignores all different HTTP requests despatched to the compromised IIS server by its official guests – in fact, these are nonetheless dealt with by the benign server modules.

Figure 1. IISpy backdoor control mechanism

Determine 1. IISpy backdoor management mechanism

Community communication

The management requests from IISpy’s operators have a predefined construction, with a selected (hidden) relationship between the Cookie and Host headers, and the URL. To determine such requests, IISpy first computes the MD5 hash of each the URL and Host header of an inbound HTTP request, and splits every MD5 into 4 double phrases:

  • = md5(Host Header worth)

  • = md5(Uncooked URL worth)

Then, it verifies that the Cookie header accommodates a substring constructed from these values:

  • =

Determine 2 illustrates how this substring is assembled. Backdoor instructions are embedded within the HTTP physique, AES‑CBC encrypted and base64 encoded.

Figure 2. IISpy control HTTP request format

Determine 2. IISpy management HTTP request format

Observe that this construction of management requests is exclusive to IISpy: all the opposite identified IIS backdoors (that we’ve got documented in our white paper Anatomy of native IIS malware) are managed by hardcoded passwords, particular URIs or {custom} HTTP headers. Versus these “secrets and techniques”, IISpy’s management requests are tougher to fingerprint and discover in logs, which is an try to maintain its C&C communication unnoticed.

One other such trick is used for the opposite facet of the communication: IISpy embeds its encrypted and encoded response inside a faux PNG picture, between the PNG file headers as a TEXT or BLOB chunk. To answer to a management HTTP request, IISpy replaces the unique HTTP response physique (despatched by the IIS server) with the faux PNG file, and units the Content material-Sort header to picture/png to provide extra credibility to this charade.

Either side of the C&C communication are AES-CBC encrypted and base64 encoded, utilizing these parameters:

  • Encryption key: DA1F8BE19D9122F6499D72B90299CAB080E9D599C57E802CD667BF53CCC9EAB2
  • IV: 668EDC2D7ED614BF8F69FF614957EF83EE

Technical evaluation

From the technical standpoint, IISpy is applied as a local IIS module – a C++ DLL deployed within the %windirpercentsystem32inetsrv or the %windirpercentSysWOW64inetsrv folder on the compromised IIS server, underneath the identify cache.dll or logging.dll.

IISpy is configured as an IIS extension within the %windirpercentsystem32inetsrvconfigApplicationHost.config configuration file, and so it’s loaded mechanically by the IIS Employee Course of (w3wp.exe), which handles all requests despatched to the IIS internet server. So far as execution and persistence goes, configuring IISpy as an IIS module itself checks all of the bins – all that’s left to implement contained in the malicious module is the precise request processing (and as a bonus, just a few anti-detection and anti-forensic methods). We cowl each on this part.

Module design

IISpy is written utilizing the IIS C++ API, and makes use of situations of IHttpContext, IHttpRequest and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.

As required by all native IIS modules, it exports a operate known as RegisterModule, the place it creates an occasion of its core lessons and registers their strategies for server occasions utilizing the IHttpModuleRegistrationInfo::SetRequestNotifications methodology, as proven in Determine 3.

Figure 3. IISpy's RegisterModule export

Determine 3. IISpy’s RegisterModule export

IISpy’s core class is inherited from CHttpModule and, as seen in Determine 4, overrides three of its strategies – occasion handlers for the server occasions:

  • OnBeginRequest known as each time the server begins processing a brand new HTTP request, and IISpy makes use of this handler to parse it in the hunt for attacker requests
  • OnEndRequest, known as with the final step throughout the HTTP request-processing pipeline, implements IISpy’s backdoor interpreter
  • OnLogRequest, known as proper earlier than the IIS server logs a processed HTTP request, implements IISpy’s anti-logging function

IISpy registers these handlers with the very best precedence (by way of the IHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since a number of IIS modules (malicious and common) could be registered for a similar occasion, this ensures that IISpy’s handler will probably be executed earlier than every other handlers registered for a similar occasion.

Figure 4. IISpy's core class implements three event handlers

Determine 4. IISpy’s core class implements three occasion handlers

Backdoor instructions

In its OnEndRequest handler, IISpy decrypts the HTTP physique of an attacker’s request and extracts its parameters, that are organized as key-value pairs and listed in Desk 1.

Desk 1. IISpy attacker request parameters

Key Worth
/mode Command kind
/motion Command
Command arguments (see Desk 2 for full checklist)
/credential/username Native person username, used for impersonation
/credential/password Native person password, used for impersonation

If the credentials are current, IISpy makes use of them to log in because the person (by way of LogonUserW, ImpersonateLoggedOnUser) to execute the backdoor instructions within the person’s context. The backdoor instructions and arguments are additionally organized as nested key-value pairs, as listed in Desk 2.

Desk 2. IISpy backdoor instructions and arguments

Command kind (/mode worth) Command (/motion worth) Arguments (key names) Command description Returned knowledge (map construction or description)
init N/A N/A Collects primary system info: pc identify and area, username and area, logical drives info. /pc/area
file checklist /path Collects details about the information within the specified folder. /-
get /path
Downloads the file with the required identify from the compromised IIS server. The contents of the file, encrypted and embedded inside a faux PNG picture (a PNG header adopted by non-image knowledge).
create /path
Creates a brand new file or listing within the specified path. Non-compulsory /knowledge argument can maintain the file content material. /-
add /path
Uploads a file with the required identify to the compromised server. The /knowledge entry accommodates base64-encoded file content material. /-
delete /path
Deletes the checklist of information/directories within the given path. /information
transfer /path
Copies or renames information from the checklist, from the supply listing to the vacation spot listing. /information
time /path
Modifies file timestamps N/A
drive map /letter
Creates a mapping between an area and a distant drive, utilizing the required credentials for the community useful resource. N/A
take away /letter Removes an present drive mapping N/A
cmd exec /cmd Executes the required command, both underneath the context of the present person, or the person supplied in arguments. Returns the command output. /output

After executing the backdoor command, IISpy encrypts and encodes its return knowledge and makes use of it to switch the HTTP response to the attacker’s request. The return knowledge can also be organized as key-value pairs, with the entries listed in Desk 2, plus two further entries based mostly on the GetLastError outcome (or {custom} error messages):

  • /error/code
  • /error/message

Anti-logging function

Lastly, IISpy implements the OnLogRequest occasion handler – known as proper earlier than the IIS server logs a processed HTTP request. The backdoor makes use of this handler to switch the log entries for requests coming from the attackers to make them appear to be informal requests. As proven in Determine 5, these steps are taken:

  • Rewrite the HTTP methodology within the request to GET
  • Rewrite the URL from the request to /
  • Delete these headers from the request: Cookie, Origin, Referer, Sec-Fetch-Mode, Sec-Fetch-Web site, Content material-Sort, Content material-Size, X-Forwarded-IP, X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto

With the log entries modified this fashion, the attackers try to additional cover traces of their malicious actions, to make potential forensic evaluation tougher.

Figure 5. IISpy modifies log entries for attacker requests

Determine 5. IISpy modifies log entries for attacker requests


IISpy is a posh server-side backdoor misusing the extensibility of IIS internet server software program for its persistence, execution and C&C mechanisms. With its methods to mix in with the common community site visitors, and to clear incriminating logs, it’s designed for long run espionage on compromised IIS servers.

Organizations that deal with delicate knowledge on their servers needs to be looking out, resembling organizations which have the Outlook on the net (OWA) service enabled on their Change e-mail servers – OWA is applied by way of IIS, and makes an fascinating goal for espionage. In any case, the easiest way to maintain IISpy out of your servers is to maintain them updated, and thoroughly take into account which companies are uncovered to the web, to cut back the danger of server exploitation.

Further technical particulars on the malware, Indicators of Compromise and YARA guidelines could be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].

Keep tuned for the final installment of this collection the place we cowl malicious IIS extensions used for search engine optimisation fraud.

Indicators of Compromise (IoCs)

ESET detection names






MITRE ATT&CK strategies

Observe: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.

Tactic ID Title Description
Useful resource Improvement T1587.001 Develop Capabilities: Malware IISpy is a custom-made malware household.
T1588.002 Receive Capabilities: Software Operators of IISpy have used Juicy Potato , an area privilege escalation device.
Preliminary Entry T1190 Exploit Public-Going through Utility IISpy possible obtains its preliminary entry to the IIS server by way of some vulnerability within the internet utility or on the server, earlier than it makes use of the privilege escalation device Juicy Potato to acquire the executive privileges which are required to put in a local IIS module.
Execution T1059.003 Command and Scripting Interpreter: Home windows Command Shell IISpy helps a backdoor command that makes use of the Home windows command shell to execute shell instructions on the compromised IIS server.
T1569.002 System Companies: Service Execution IIS server (and by extension, IISpy) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IISpy is loaded by IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Privilege Escalation T1068 Exploitation for Privilege Escalation Operators of IISpy have used an area privilege escalation device Juicy Potato to raise privileges.
Protection Evasion T1134.001 Entry Token Manipulation: Token Impersonation/Theft IISpy has the power to execute backdoor instructions in one other person’s context (by way of LogonUserW, ImpersonateLoggedOnUser).
T1070 Indicator Removing on Host IISpy has the power to sanitize logging of attacker requests on the IIS server.
T1070.006 Indicator Removing on Host: Timestomp IISpy helps a backdoor command to switch file timestamps.
Assortment T1005 Information from Native System IISpy helps a backdoor command to gather and exfiltrate information from the compromised IIS server.
Command and Management T1071.001 Utility Layer Protocol: Net Protocols IISpy is a passive community implant: Adversaries ship HTTP requests to the compromised IIS server to manage the backdoor.
T1001 Information Obfuscation IISpy operators ship instructions with a specifically constructed mixture of URLs, Host headers and cookies.
IISpy exfiltrates knowledge in a faux PNG file (a PNG header adopted by non-image knowledge), in an try to make its C&C site visitors appear to be common community site visitors.
T1132.001 Information Encoding: Customary Encoding IISpy encodes the C&C communication with base64 encoding.
T1573.001 Encrypted Channel: Symmetric Cryptography IISpy makes use of AES-CBC to encrypt C&C communication.
T1105 Ingress Software Switch IISpy helps a backdoor command to add further instruments to the compromised IIS server.
Exfiltration T1041 Exfiltration Over C2 Channel IISpy helps a backdoor command to exfiltrate knowledge and information from the compromised IIS server.

Posted in SecurityTags:
Write a comment