Researchers looked into recent attacks against Microsoft’s Internet Information Services (IIS) and revealed that the number of malware families designed specifically for attacking the IIS servers has increased significantly over the past eight years.
Zuzana Hromcova, a malware researcher from ESET, presented the findings of her study at the Black Hat USA security event. She said they found 14 malware families, 10 of them were not documented before.
IIS is a web server software from Microsoft with a modular architecture that enables developers to extend a server’s capabilities by creating additional modules.
According to a report released by ESET, the malware’s main functions are to intercept communications to the server and temper with the processing of the server requests. Researchers also noted a novel SEO fraud technique.
“The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed,” Hromcova told in an interview with The Hacker News. “Their motivations range from cybercrime to espionage, and a technique called SEO fraud.”
The IIS’ extensibility makes it an attractive attack surface for attackers to try to steal sensitive data or intercept network traffic, according to the ESET’s report.
“Moreover, it is quite rare for endpoint (and other) security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors’ data, including authentication and payment information.”
The study grouped the various types of malware into 14 families. Some of these families were detected for the first time in 2018-2021. While they may not have much in common with each other, all the 14 malware families are all built to be malicious IIS modules.
“The main purpose of IIS malware is to process HTTP requests incoming to the compromised server and affect how the server responds to (some of) these requests – how they are processed depends on malware type,” Hromcova explained.
The malware families have been found to operate in one of the five modes: Backdoor mode, Infostealer mode, Injector mode, Proxy mode, and SEO fraud mode.
Most of these attacks rely on a server administrator inadvertently downloading a trojanized version of a legitimate IIS module.
As an example, researchers mention APT groups that targeted Microsoft ProxyLogon flaws earlier this March and used servers that were compromised to deploy web shells that helped them to install IIS backdoors.
One of the most surprising findings of the investigation was how IIS malware is adaptable and how attackers can manipulate search engine results:
“One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites,” Hromcova said. “We haven’t seen anything like that before.”
To prevent exploitation of IIS servers, researchers remind the importance of using strong, unique passwords for all accounts connected to the server. It is also important to install native modules only from trusted sources.
