Malicious IIS Extentions

Malicious IIS Extentions’ Persistent Access Popular Among Cyber Criminals

According to a new warning issued by the Microsoft 365 Defender Research Team, IIS backdoors are much more difficult to detect as compared to other backdoors because they commonly reside in the same directories as other legitimate modules. 

Furthermore, these backdoors use the same code structures as clean modules used by target applications. Attack chains take advantage and weaponize this vulnerability. They commence their attack by using the vulnerability for initial access. Using the foothold, they drop a script web shell as the first stage payload. 

Then the web shell becomes a channel through which it installs a rogue IIS module. This step helps provide covert and persistent access to the system. The attackers can use this to monitor incoming and outgoing requests. Furthermore, they can also run remote commands. 

Earlier this month, it was disclosed by Kaspersky researchers that the Gelsemium group undertook a campaign that took advantage of the flaws in the ProxyLogon Exchange Server and managed to launch SessionManager, a piece of IIS malware. 

There was another set of attacks in January 2022 and May 2022, where the tech giants noticed that the Exchange servers were being targeted with web shells. This occurred through an exploit for the ProxyShell flaws. 

These flaws led to the deployment of the FinanceSvcModel.dll, a backdoor. However, it happened after a period of surveillance. 

As explained by a security researcher, Hardik Suri, this backdoor had built-in capabilities, which allowed it to perform exchange management operations. These included exporting mailboxes for exfiltration and enumerating installed mailbox accounts. 

To help mitigate such attacks, it is recommended that you apply the latest security updates. Furthermore, you should also ensure that your anti-virus and other protections are enabled. 

Read Also

Zubair is a tech geek who loves technology and writing about it. He also loves to travel and spread knowledge about online security.