ESET researchers have discovered a set of 10 previously undocumented malware families, implemented as malicious extensions for Internet Information Services (IIS) webserver software. Targeting both government mailboxes and e-commerce credit card transactions, as well as aiding in malware distribution, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications.
At least five IIS backdoors have been spreading through server exploitation of Microsoft Exchange email servers in 2021, according to ESET telemetry and the results of additional internet-wide scans that ESET researchers performed to detect the presence of these backdoors. Among the victims are governments in Southeast Asia and dozens of companies belonging to various industries located mostly in Canada, Vietnam, and India, but also in the US, New Zealand, South Korea, and other countries.
ESET Research has published the white paper “Anatomy of native IIS malware” and launched a series of blog posts on the most notable of the newly discovered threats: IIStealer, IISpy and IISerpent. These will be published on WeLiveSecurity starting today and following through to August 11, 2021. The findings of ESET’s IIS malware research were first presented at Black Hat USA 2021 and will also be shared with the community at the Virus Bulletin 2021 conference on October 8, 2021.
IIS malware is a diverse class of threats used for cybercrime, cyberespionage and SEO fraud — but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests. “Internet Information Services web servers have been targeted by various malicious actors, for cybercrime and cyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers,” says ESET researcher Zuzana Hromcová, author of the paper.
ESET has identified five main modes in which IIS malware operates:
- IIS backdoors allow their operators to remotely control the compromised computer with IIS installed.
- IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors and steal information such as login credentials and payment information.
- IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content.
- IIS proxies turn the compromised server into an unwitting part of the command and control infrastructure for another malware family.
- SEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackers.
“It is still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organizations that use Outlook on the web should also pay attention, as it depends on IIS and could be an interesting target for espionage,” explains Hromcová.
ESET Research offers several recommendations that can help mitigate IIS malware attacks. These include using unique, strong passwords and multifactor authentication for the administration of IIS servers; keeping the operating system up to date; using a web application firewall and endpoint security solution for the server, and regularly checking the IIS server configuration to verify that all installed extensions are legitimate.