IISpy: A complex server‑side backdoor with anti‑forensic features
The second in our collection on IIS threats dissects a malicious IIS extension that employs nifty methods in an try to safe long-term espionage on the compromised servers
ESET researchers have found and analyzed a beforehand undocumented backdoor, applied as an extension for Web Info Companies (IIS), Microsoft’s internet server software program. The backdoor, which we named IISpy, makes use of a wide range of methods to intrude with the server’s logging and to evade detection, with the intention to carry out long-term espionage. IISpy is detected by ESET safety options as Win{32,64}/BadIIS.
This blogpost is the second installment in our collection the place ESET researchers put IIS internet server threats underneath the microscope – the previous part discusses IIS malware used for cybercrime. For a complete information to tips on how to detect, analyze and take away IIS malware, seek advice from our white paper Anatomy of native IIS malware, the place IISpy is featured as one of many studied households (Group 7).
Assault overview
In response to ESET telemetry, this backdoor has been energetic since no less than July 2020, and has been used with Juicy Potato (detected as Win64/HackTool.JuicyPotato by ESET safety options), which is a privilege escalation device. We suspect the attackers first receive preliminary entry to the IIS server by way of some vulnerability, after which use Juicy Potato to acquire the executive privileges which are required to install IISpy as a local IIS extension.
In response to our telemetry, IISpy impacts a small variety of IIS servers positioned in Canada, the USA and the Netherlands – however that is possible not the complete image, as it’s nonetheless frequent for directors to not use any safety software program on servers, and thus our visibility into IIS servers is proscribed.
As a result of IISpy is configured as an IIS extension, it could see all of the HTTP requests obtained by the compromised IIS server, and form the HTTP response that the server will reply with. IISpy makes use of this channel to implement its C&C communication, which permits it to function as a passive community implant. As proven in Determine 1, the operator (not the backdoor) initiates the connection by sending a particular HTTP request to the compromised server. The backdoor acknowledges the attacker request, extracts and executes the embedded backdoor instructions, and modifies the HTTP response to incorporate the command output.
The next backdoor instructions are supported:
- Get system info
- Add/obtain information
- Execute information or shell instructions
- Create a reverse shell
- Create/checklist/transfer/rename/delete information and folders
- Create a mapping between an area and a distant drive
- Exfiltrate collected knowledge
IISpy ignores all different HTTP requests despatched to the compromised IIS server by its official guests – in fact, these are nonetheless dealt with by the benign server modules.
Determine 1. IISpy backdoor management mechanism
Community communication
The management requests from IISpy’s operators have a predefined construction, with a selected (hidden) relationship between the Cookie and Host headers, and the URL. To determine such requests, IISpy first computes the MD5 hash of each the URL and Host header of an inbound HTTP request, and splits every MD5 into 4 double phrases:
= md5(Host Header worth)
= md5(Uncooked URL worth)
Then, it verifies that the Cookie header accommodates a substring constructed from these values:
=
Determine 2 illustrates how this substring is assembled. Backdoor instructions are embedded within the HTTP physique, AES‑CBC encrypted and base64 encoded.
Determine 2. IISpy management HTTP request format
Observe that this construction of management requests is exclusive to IISpy: all the opposite identified IIS backdoors (that we’ve got documented in our white paper Anatomy of native IIS malware) are managed by hardcoded passwords, particular URIs or {custom} HTTP headers. Versus these “secrets and techniques”, IISpy’s management requests are tougher to fingerprint and discover in logs, which is an try to maintain its C&C communication unnoticed.
One other such trick is used for the opposite facet of the communication: IISpy embeds its encrypted and encoded response inside a faux PNG picture, between the PNG file headers as a TEXT or BLOB chunk. To answer to a management HTTP request, IISpy replaces the unique HTTP response physique (despatched by the IIS server) with the faux PNG file, and units the Content material-Sort header to picture/png to provide extra credibility to this charade.
Either side of the C&C communication are AES-CBC encrypted and base64 encoded, utilizing these parameters:
- Encryption key: DA1F8BE19D9122F6499D72B90299CAB080E9D599C57E802CD667BF53CCC9EAB2
- IV: 668EDC2D7ED614BF8F69FF614957EF83EE
Technical evaluation
From the technical standpoint, IISpy is applied as a local IIS module – a C++ DLL deployed within the
IISpy is configured as an IIS extension within the
Module design
IISpy is written utilizing the IIS C++ API, and makes use of situations of IHttpContext, IHttpRequest and IHttpResponse interfaces to parse HTTP requests and manipulate the HTTP responses.
As required by all native IIS modules, it exports a operate known as RegisterModule, the place it creates an occasion of its core lessons and registers their strategies for server occasions utilizing the IHttpModuleRegistrationInfo::SetRequestNotifications methodology, as proven in Determine 3.
Determine 3. IISpy’s RegisterModule export
IISpy’s core class is inherited from CHttpModule and, as seen in Determine 4, overrides three of its strategies – occasion handlers for the server occasions:
- OnBeginRequest known as each time the server begins processing a brand new HTTP request, and IISpy makes use of this handler to parse it in the hunt for attacker requests
- OnEndRequest, known as with the final step throughout the HTTP request-processing pipeline, implements IISpy’s backdoor interpreter
- OnLogRequest, known as proper earlier than the IIS server logs a processed HTTP request, implements IISpy’s anti-logging function
IISpy registers these handlers with the very best precedence (by way of the IHttpModuleRegistrationInfo::SetPriorityForRequestNotification API). Since a number of IIS modules (malicious and common) could be registered for a similar occasion, this ensures that IISpy’s handler will probably be executed earlier than every other handlers registered for a similar occasion.
Determine 4. IISpy’s core class implements three occasion handlers
Backdoor instructions
In its OnEndRequest handler, IISpy decrypts the HTTP physique of an attacker’s request and extracts its parameters, that are organized as key-value pairs and listed in Desk 1.
Desk 1. IISpy attacker request parameters
| Key | Worth |
|---|---|
| /mode | Command kind |
| /motion | Command |
| /path /binary /knowledge … |
Command arguments (see Desk 2 for full checklist) |
| /credential/username | Native person username, used for impersonation |
| /credential/password | Native person password, used for impersonation |
If the credentials are current, IISpy makes use of them to log in because the person (by way of LogonUserW, ImpersonateLoggedOnUser) to execute the backdoor instructions within the person’s context. The backdoor instructions and arguments are additionally organized as nested key-value pairs, as listed in Desk 2.
Desk 2. IISpy backdoor instructions and arguments
| Command kind (/mode worth) | Command (/motion worth) | Arguments (key names) | Command description | Returned knowledge (map construction or description) |
|---|---|---|---|---|
| init | N/A | N/A | Collects primary system info: pc identify and area, username and area, logical drives info. | /pc/area /pc/identify /person/area /person/identify /- /identify /kind |
| file | checklist | /path | Collects details about the information within the specified folder. | /- /identify /attr /measurement /create /entry /write |
| get | /path /binary |
Downloads the file with the required identify from the compromised IIS server. | The contents of the file, encrypted and embedded inside a faux PNG picture (a PNG header adopted by non-image knowledge). | |
| create | /path /listing /knowledge |
Creates a brand new file or listing within the specified path. Non-compulsory /knowledge argument can maintain the file content material. | /- /file /attr /measurement /create /entry /write |
|
| add | /path /knowledge |
Uploads a file with the required identify to the compromised server. The /knowledge entry accommodates base64-encoded file content material. | /- /file /attr /measurement /create /entry /write |
|
| delete | /path /information /identify /attr |
Deletes the checklist of information/directories within the given path. | /information /code /identify |
|
| transfer | /path /dest /copy /information /identify /new |
Copies or renames information from the checklist, from the supply listing to the vacation spot listing. | /information /code /identify |
|
| time | /path /create /entry /write |
Modifies file timestamps | N/A | |
| drive | map | /letter /share /username /password |
Creates a mapping between an area and a distant drive, utilizing the required credentials for the community useful resource. | N/A |
| take away | /letter | Removes an present drive mapping | N/A | |
| cmd | exec | /cmd | Executes the required command, both underneath the context of the present person, or the person supplied in arguments. Returns the command output. | /output |
After executing the backdoor command, IISpy encrypts and encodes its return knowledge and makes use of it to switch the HTTP response to the attacker’s request. The return knowledge can also be organized as key-value pairs, with the entries listed in Desk 2, plus two further entries based mostly on the GetLastError outcome (or {custom} error messages):
- /error/code
- /error/message
Anti-logging function
Lastly, IISpy implements the OnLogRequest occasion handler – known as proper earlier than the IIS server logs a processed HTTP request. The backdoor makes use of this handler to switch the log entries for requests coming from the attackers to make them appear to be informal requests. As proven in Determine 5, these steps are taken:
- Rewrite the HTTP methodology within the request to GET
- Rewrite the URL from the request to /
- Delete these headers from the request: Cookie, Origin, Referer, Sec-Fetch-Mode, Sec-Fetch-Web site, Content material-Sort, Content material-Size, X-Forwarded-IP, X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto
With the log entries modified this fashion, the attackers try to additional cover traces of their malicious actions, to make potential forensic evaluation tougher.
Determine 5. IISpy modifies log entries for attacker requests
Conclusion
IISpy is a posh server-side backdoor misusing the extensibility of IIS internet server software program for its persistence, execution and C&C mechanisms. With its methods to mix in with the common community site visitors, and to clear incriminating logs, it’s designed for long run espionage on compromised IIS servers.
Organizations that deal with delicate knowledge on their servers needs to be looking out, resembling organizations which have the Outlook on the net (OWA) service enabled on their Change e-mail servers – OWA is applied by way of IIS, and makes an fascinating goal for espionage. In any case, the easiest way to maintain IISpy out of your servers is to maintain them updated, and thoroughly take into account which companies are uncovered to the web, to cut back the danger of server exploitation.
Further technical particulars on the malware, Indicators of Compromise and YARA guidelines could be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].
Keep tuned for the final installment of this collection the place we cowl malicious IIS extensions used for search engine optimisation fraud.
Indicators of Compromise (IoCs)
ESET detection names
Win32/BadIIS.F
Win64/BadIIS.U
SHA-1
22F8CA2EB3AF377E913B6D06B5A3618D294E4331
435E3795D934EA8C5C7F4BCFEF2BEEE0E3C76A54
CED7BC6E0F1A15465E61CFEC87AAEF98BD999E15
Filenames
cache.dll
logging.dll
MITRE ATT&CK strategies
Observe: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.
| Tactic | ID | Title | Description |
|---|---|---|---|
| Useful resource Improvement | T1587.001 | Develop Capabilities: Malware | IISpy is a custom-made malware household. |
| T1588.002 | Receive Capabilities: Software | Operators of IISpy have used Juicy Potato , an area privilege escalation device. | |
| Preliminary Entry | T1190 | Exploit Public-Going through Utility | IISpy possible obtains its preliminary entry to the IIS server by way of some vulnerability within the internet utility or on the server, earlier than it makes use of the privilege escalation device Juicy Potato to acquire the executive privileges which are required to put in a local IIS module. |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | IISpy helps a backdoor command that makes use of the Home windows command shell to execute shell instructions on the compromised IIS server. |
| T1569.002 | System Companies: Service Execution | IIS server (and by extension, IISpy) persists as a Home windows service. | |
| Persistence | T1546 | Occasion Triggered Execution | IISpy is loaded by IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Operators of IISpy have used an area privilege escalation device Juicy Potato to raise privileges. |
| Protection Evasion | T1134.001 | Entry Token Manipulation: Token Impersonation/Theft | IISpy has the power to execute backdoor instructions in one other person’s context (by way of LogonUserW, ImpersonateLoggedOnUser). |
| T1070 | Indicator Removing on Host | IISpy has the power to sanitize logging of attacker requests on the IIS server. | |
| T1070.006 | Indicator Removing on Host: Timestomp | IISpy helps a backdoor command to switch file timestamps. | |
| Assortment | T1005 | Information from Native System | IISpy helps a backdoor command to gather and exfiltrate information from the compromised IIS server. |
| Command and Management | T1071.001 | Utility Layer Protocol: Net Protocols | IISpy is a passive community implant: Adversaries ship HTTP requests to the compromised IIS server to manage the backdoor. |
| T1001 | Information Obfuscation | IISpy operators ship instructions with a specifically constructed mixture of URLs, Host headers and cookies. IISpy exfiltrates knowledge in a faux PNG file (a PNG header adopted by non-image knowledge), in an try to make its C&C site visitors appear to be common community site visitors. |
|
| T1132.001 | Information Encoding: Customary Encoding | IISpy encodes the C&C communication with base64 encoding. | |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | IISpy makes use of AES-CBC to encrypt C&C communication. | |
| T1105 | Ingress Software Switch | IISpy helps a backdoor command to add further instruments to the compromised IIS server. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | IISpy helps a backdoor command to exfiltrate knowledge and information from the compromised IIS server. |
