Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

IIStealer: A server‑side threat to e‑commerce transactions

August 7, 2021

The primary in our sequence on IIS threats seems at a malicious IIS extension that intercepts server transactions to steal bank card info

ESET researchers have found and analyzed a beforehand undocumented trojan that steals cost info from e-commerce web sites’ clients. The trojan, which we named IIStealer, is detected by ESET safety options as Win64/BadIIS.

This blogpost is the primary installment in our sequence the place ESET researchers put IIS internet server threats underneath the microscope. For a complete information to easy methods to detect, analyze and take away IIS malware, seek advice from our white paper Anatomy of native IIS malware, the place IIStealer is featured as one of many studied households (Group 5).

Assault overview

IIStealer is carried out as a malicious extension for Web Info Companies (IIS), Microsoft internet server software program. Being part of the server, IIStealer is ready to entry all of the community communication flowing by the server and steal information of curiosity to the attackers – on this case, cost info from e-commerce transactions.

As illustrated in Determine 1, IIStealer operates by intercepting common visitors between the compromised server and its purchasers (the vendor and the consumers), focusing on HTTP POST requests made to particular URI paths: /checkout/checkout.aspx or /checkout/Fee.aspx.

Each time a authentic web site customer makes a request to those checkout pages (1), IIStealer logs the HTTP request physique right into a log file (2), with out, in any approach, interfering with the HTTP reply generated by the parts of the authentic web site (3).

Adversaries can then exfiltrate the collected information by making a particular HTTP request to the compromised IIS server: as soon as IIStealer detects a request made to a selected URI (/privateness.aspx) with an attacker password included within the X-IIS-Knowledge header (4), it embeds the collected information within the HTTP response for that request (5,6).

Figure 1. IIStealer collection and exfiltration mechanisms

Determine 1. IIStealer: assortment and exfiltration mechanisms

With these capabilities, IIStealer is ready to steal bank card info despatched to e-commerce web sites that don’t use third-party payment gateways. Word that SSL/TLS and encrypted communication channels don’t safe these transactions towards IIStealer, because the malware can entry all information dealt with by the server – which is the place the bank card info is processed in its unencrypted state.

The samples of this malware that we analyzed appear to be tailor-made for particular e-commerce web sites (with hardcoded checkout web page URIs). In keeping with our telemetry, focused have been a small variety of IIS servers within the USA, between September 2020 and January 2021, however that is possible affected by our restricted visibility into IIS servers – it’s nonetheless widespread for directors to not use any safety software program on these servers.

Technical evaluation

IIStealer is carried out as a malicious, native IIS module – a C++ DLL dropped within the %windirpercentsystem32inetsrv folder on the compromised IIS server and configured within the %windirpercentsystem32inetsrvconfigApplicationHost.config file. In some instances, IIStealer is deployed underneath the title dir.dll and, as seen in Determine 2, makes use of a cast VERSIONINFO useful resource to imitate a authentic Home windows IIS module known as dirlist.dll.

Figure 2. IIStealer’s VERSIONINFO resource (left) mimics legitimate dirlist.dll module (right)

Determine 2. IIStealer’s VERSIONINFO useful resource (left) mimics authentic dirlist.dll module (proper)

As a result of it’s an IIS module, IIStealer is loaded routinely by the IIS Employee Course of (w3wp.exe), which handles the requests despatched to the IIS internet server – that is how IIStealer achieves persistence, and the way it can have an effect on the processing of incoming requests.

We don’t have any details about how the malware is unfold, however we all know that administrative privileges are required to put in it as a local IIS module, which narrows down the candidates for the preliminary compromise. A configuration weak spot or vulnerability in an online utility, or the server itself, are possible culprits.

As for its technical traits, IIStealer implements a core class inherited from CHttpModule (module class) and overrides the CHttpModule::OnPostBeginRequest methodology with its malicious code. As with all native IIS modules, IIStealer exports a operate named RegisterModule (see Determine 3), the place it instantiates the module class and registers its strategies for server occasions – extra particularly, it registers for the RQ_BEGIN_REQUEST post-event notification that’s generated each time the server begins processing an inbound HTTP request. Consequently, the OnPostBeginRequest methodology known as with every new request, which permits IIStealer to have an effect on the request processing.

Figure 3. IIStealer’s RegisterModule entry point

Determine 3. IIStealer’s RegisterModule entry level

Within the OnPostBeginRequest handler, IIStealer filters incoming HTTP requests by request URIs. All POST requests made to /checkout/checkout.aspx or /checkout/Fee.aspx are logged – together with their full HTTP our bodies – right into a file named C:WindowsTempcache.txt. These requests are made by authentic guests of the compromised e-commerce web sites and might include delicate info akin to private particulars and bank card numbers.

The collected information will be exfiltrated by way of a particularly crafted HTTP request from the attacker. This request should have an X-IIS-Knowledge HTTP header set to a hardcoded, 32-byte alphanumeric password (that we have now chosen to not disclose), and have to be despatched to a URL path specified within the malware pattern:

  • /privateness.aspx
  • /checkout/Fee.aspx

As soon as the malicious module detects such a request, it makes use of the IHttpResponse::Clear methodology to delete any HTTP response ready by the IIS server, and copies the unencrypted contents of the log file into the HTTP response physique utilizing the IHttpResponse::WriteEntityChunks API operate, as seen in Determine 4.

Figure 4. IIStealer replaces the HTTP response body with its own data

Determine 4. IIStealer replaces the HTTP response physique with its personal information

This enables the operators of IIStealer to entry and exfiltrate the collected information by merely sending a particular request to the compromised IIS server – there isn’t a want for the malware to implement further C&C channels, or embed any C&C server domains in its configuration.


IIStealer is a server-side risk that eavesdrops on the communications between a compromised e-commerce web site and its clients, with the purpose of stealing delicate cost info – however after all, malicious IIS modules may goal credentials and different info. Regardless that SSL/TLS is important in securing the transmission of the information between the consumer and the server, it doesn’t forestall this assault situation as IIStealer is part of the server. This ought to be disturbing for all critical internet portals that wish to shield their guests’ information, together with authentication and cost info.

One of the simplest ways to harden an IIS server towards IIStealer and different threats is to:

  • Use devoted accounts with sturdy, distinctive passwords for the administration of the IIS server.
  • Frequently patch your OS, and thoroughly take into account which providers are uncovered to the web, to cut back the chance of server exploitation.
  • Solely set up native IIS modules from trusted sources.
  • Think about using an online utility firewall, and/or endpoint safety resolution in your IIS server.
  • Frequently test the configuration file %windirpercentsystem32inetsrvconfigApplicationHost.config, in addition to the %windirpercentsystem32inetsrv and %windirpercentSysWOW64inetsrv folders to confirm that each one the put in native modules are authentic (signed by a trusted supplier, or put in on objective).

For internet builders: Even when you don’t have management over the IIS server the place your internet service is hosted, you possibly can nonetheless take steps to cut back the impression on customers of your internet service within the case of a compromise, particularly:

  • Don’t ship the password itself to the server (not even over SSL/TLS); use a protocol akin to Secure Remote Password (SRP) to authenticate customers with out the necessity for the unencrypted password to be transmitted to the server, nor information that may very well be used to reauthenticate. IIS infostealers are an excellent instance of why server-side hashing is just not ok.
  • Keep away from unnecessarily sending delicate info from the net utility; use cost gateways.
  • In case you determine a profitable compromise: notify all events concerned in any safety breach to allow them to take fast motion.

For shoppers: from the customer’s perspective, it’s inconceivable to know whether or not an IIS server is compromised, however the following pointers will assist you to cut back the chance:

  • Watch out about the place you enter your bank card quantity. Think about using cost gateways by trusted third-party suppliers on e-commerce web sites whose status is unknown to you: with cost gateways, such web sites received’t deal with the delicate cost info.
  • Control your credit score assertion for small or uncommon funds: typically small quantities are processed to check whether or not the playing cards are legitimate.
  • In case you spot one thing uncommon, notify your financial institution instantly.

Further technical particulars on the malware, Indicators of Compromise and YARA guidelines will be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].

Keep tuned for the subsequent installments of this sequence the place we cowl malicious IIS extensions used for cyberespionage and search engine marketing fraud.

Indicators of Compromise (IoCs)

ESET detection names




Filenames and paths


Community indicators

Focused URIs


HTTP header


MITRE ATT&CK strategies

Word: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.

Tactic ID Title Description
Useful resource Improvement T1587.001 Develop Capabilities: Malware IIStealer is a custom-made malware household.
Execution T1569.002 System Companies: Service Execution IIS server (and by extension, IIStealer) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IIStealer is loaded by IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Protection Evasion T1036.005 Masquerading: Match Authentic Title or Location IIStealer has been deployed underneath the title dir.dll, in an try to mimic a authentic Microsoft IIS module known as dirlist.dll.
T1027 Obfuscated Information or Info IIStealer makes use of string stacking in an try to keep away from some string-based detection.
Credential Entry T1056 Enter Seize IIStealer intercepts community visitors between the IIS server and its purchasers to gather delicate info akin to bank card particulars.
Assortment T1119 Automated Assortment IIStealer routinely collects info from inbound HTTP requests, akin to bank card particulars.
T1074.001 Knowledge Staged: Native Knowledge Staging IIStealer makes use of a neighborhood file to stage collected info.
Command and Management T1071.001 Utility Layer Protocol: Net Protocols Adversaries ship HTTP requests to the compromised IIS server to regulate IIStealer.
Exfiltration T1041 Exfiltration Over C2 Channel IIStealer makes use of its C&C channel to exfiltrate collected information: HTTP requests are despatched by the adversary to the compromised IIS server.

Posted in SecurityTags:
Write a comment