{"id":19686,"date":"2022-07-26T10:01:09","date_gmt":"2022-07-26T18:01:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/07\/26\/news-13419\/"},"modified":"2022-07-26T10:01:09","modified_gmt":"2022-07-26T18:01:09","slug":"news-13419","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/07\/26\/news-13419\/","title":{"rendered":"Malicious IIS extensions quietly open persistent backdoors into servers"},"content":{"rendered":"

Credit to Author: Katie McCafferty| Date: Tue, 26 Jul 2022 17:00:00 +0000<\/strong><\/p>\n

Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in target environments and provide a durable persistence mechanism for attackers. While prior research has been published on specific incidents and variants, little is generally known about how attackers leverage the IIS platform as a backdoor.<\/p>\n

Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells<\/a> as the first stage payload. This leads to a relatively lower detection rate for malicious IIS extensions compared to script web shells. IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules. In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection.<\/p>\n

Typically, attackers first exploit a critical vulnerability in the hosted application for initial access before dropping a script web shell as the first stage payload. At a later point in time, the attackers then install an IIS backdoor to provide highly covert and persistent access to the server. Attackers can also install customized IIS modules to fit their purposes, as we observed in a campaign targeting Exchange servers between January and May 2022, as well as in our prior research on the custom IIS backdoors ScriptModule.dll<\/a> and App_Web_logoimagehandler.ashx.b6031896.dll<\/a>. Once registered with the target application, the backdoor can monitor incoming and outgoing requests and perform additional tasks, such as running remote commands or dumping credentials in the background as the user authenticates to the web application.<\/p>\n

As we expect attackers to continue to increasingly leverage IIS backdoors, it\u2019s vital that incident responders understand the basics of how these attacks function to successfully identify and defend against them. Organizations can further improve their defenses with Microsoft 365 Defender<\/a>, whose protection capabilities are informed by research like this and our unique visibility into server attacks and compromise. With critical protection features like threat and vulnerability management<\/a> and antivirus capabilities, Microsoft 365 Defender provides organizations with a comprehensive solution that coordinates protection across domains, spanning email, identities, cloud, and endpoints.<\/p>\n

In this blog post, we detail how IIS extensions work and provide insight into how they are being leveraged by attackers as backdoors. We also share some of our observations on the IIS threat landscape over the last year to help defenders identify and protect against this threat and prepare the larger security community for any increased sophistication. More specifically, the blog covers the following topics:<\/p>\n