malicious-iis-extensions-gaining-popularity-among-cyber-criminals-for-persistent-access

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access

Threat actors are increasingly abusing Internet Information Services (IIS) extensions to backdoor servers as a means of establishing a “durable persistence mechanism.”

That’s according to a new warning from the Microsoft 365 Defender Research Team, which said that “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.”

Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload.

This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands.

Indeed, earlier this month, Kaspersky researchers disclosed a campaign undertaken by the Gelsemium group, which was found taking advantage of the ProxyLogon Exchange Server flaws to launch a piece of IIS malware called SessionManager.

In another set of attacks observed by the tech giant between January and May 2022, Exchange servers were targeted with web shells by means of an exploit for the ProxyShell flaws, which ultimately led to the deployment of a backdoor called “FinanceSvcModel.dll” but not before a period of reconnaissance.

“The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration,” security researcher Hardik Suri explained.

To mitigate such attacks, it’s recommended to apply the latest security updates for server components as soon as possible, keep antivirus and other protections enabled, review sensitive roles and groups, and restrict access by practicing the principle of least-privilege and maintaining good credential hygiene.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…