ESET researchers have reported a set of 10 previously undocumented malware families, implemented as malicious extensions for Internet Information Services (IIS) web server software. Targeting both government mailboxes and e-commerce credit card transactions, as well as aiding in malware distribution, this diverse class of threats operates by eavesdropping on and tampering with the server’s communications. At least five IIS backdoors have been spreading through server exploitation of Microsoft Exchange email servers in 2021, according to ESET telemetry and the results of additional internet-wide scans that ESET researchers performed to detect the presence of these backdoors.
IIS malware is a diverse class of threats used for cybercrime, cyberespionage and SEO fraud — but in all cases, its main purpose is to intercept HTTP requests incoming to the compromised IIS server and affect how the server responds to (some of) these requests. “Internet Information Services web servers have been targeted by various malicious actors, for cybercrime and cyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers,” says ESET researcher Zuzana Hromcová, author of the paper.
ESET has identified five main modes in which IIS malware operates:
- IIS backdoors allow their operators to remotely control the compromised computer with IIS installed.
- IIS infostealers allow their operators to intercept regular traffic between the compromised server and its legitimate visitors and steal information such as login credentials and payment information.
- IIS injectors modify HTTP responses sent to legitimate visitors to serve malicious content.
- IIS proxies turn the compromised server into an unwitting part of the command and control infrastructure for another malware family.
- SEO fraud IIS malware modifies the content served to search engines to manipulate SERP algorithms and boost the ranking for other websites of interest to the attackers.
“It is still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organisations that use Outlook on the web should also pay attention, as it depends on IIS and could be an interesting target for espionage,” explains Hromcová.
ESET Australia Country Manager Kelly Johnson says the ongoing attempts by threat actors to weaponize vulnerabilities in IIS is a reminder to local business to check their exposure and take steps to mitigate it. “These are sophisticated attacks, used for a wide variety of cybercrimes, but having solid security practices in place and the right security tools deployed goes a long way to blunting such attacks.”
ESET Research offers several recommendations that can help mitigate against IIS malware attacks. These include using unique, strong passwords and multifactor authentication for the administration of IIS servers; keeping the operating system up to date; using a web application firewall and endpoint security solution for the server; and regularly checking the IIS server configuration to verify that all installed extensions are legitimate.
For more technical details about these IIS threats, read the introductory blog post “Anatomy of native IIS malware”