In a new white paper, ESET detailed new families of IIS web server malware that are being used to carry out cyberattacks, cyberespionage, and SEO fraud.
The authors of the white paper titled “Anatomy of native IIS malware” discussed the various new threats for exploitation of native IIS and the steps that can be taken to prevent exploitation. Researchers also published a series of posts dedicated to the three most notable of the newly discovered threats: IIStealer, IISpy, and IISerpent.
The ESET’s findings were first presented at Black Hat USA 2021. They will be shared with the community at the Virus Bulletin 2021 conference in October 2021.
ESET has also identified all victims of the attacks, which included government institutions and dozens of companies in Southeast Asia, including a major telecommunications company in Cambodia and a research institution in Vietnam. The attackers were also targeting various private companies in other countries, including the USA, Canada, New Zealand, India, and South Korea.
Researchers at ESET have discovered a set of 10 previously unknown malware families. They were implemented as extensions for Internet Information Services (IIS) web server software.
“Internet Information Services web servers have been targeted by various malicious actors, for cybercrime and cyberespionage alike. The software’s modular architecture, designed to provide extensibility for web developers, can be a useful tool for attackers,” says ESET researcher Zuzana Hromcová, author of the whitepaper.
These threats can eavesdrop on and tampering with the server’s communications to steal sensitive information, such as e-commerce credit card transactions and government mailboxes. At least five IIS backdoors were discovered by ESET in 2021 targeting Microsoft Exchange email servers.
This type of threat is usually used for cybercrime, cyberespionage, and SEO fraud, and always intercepts the incoming HTTP requests of a compromised IIS server and affects how the server responds to them.
ESET has identified five main modes in which IIS malware operates:
- IIS backdoors for remote control pf the compromised computer with IIS installed;
- IIS infostealers for intercepting regular traffic between the compromised server and its legitimate visitors and stealing information;
- IIS injectors for modifying HTTP responses sent to legitimate visitors and serving malicious content;
- IIS proxies for making a server a part of the command and control infrastructure for another malware family;
- SEO fraud for modifying the content served to search engines to manipulate SERP algorithms and boost the rankings of attackers’ websites.
“It is still quite rare for security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information. Organisations that use Outlook on the web should also pay attention, as it depends on IIS and could be an interesting target for espionage,” explained Hromcová.
ESET has compiled a list of steps that can help prevent the exploitation of IIS. Some of these include keeping the operating system up-to-date, implementing a web application firewall and endpoint security solution for the server, using unique, strong passwords, using multifactor authentication, and ensuring that all installed extensions are authentic.
The full technical details are available in the ESET’s original whitepaper.
