Threat actors are increasingly abusing Internet Information Services (IIS) extensions to backdoor servers as a means of establishing a “durable persistence mechanism.”
That’s according to a new warning from the Microsoft 365 Defender Research Team, which said that “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules.”
Attack chains taking this approach commence with weaponizing a critical vulnerability in the hosted application for initial access, using this foothold to drop a script web shell as the first stage payload.
This web shell then becomes the conduit for installing a rogue IIS module to provide highly covert and persistent access to the server, in addition to monitoring incoming and outgoing requests as well as running remote commands.
Indeed, earlier this month, Kaspersky researchers disclosed a campaign undertaken by the Gelsemium group, which was found taking advantage of the ProxyLogon Exchange Server flaws to launch a piece of IIS malware called SessionManager.
In another set of attacks observed by the tech giant between January and May 2022, Exchange servers were targeted with web shells by means of an exploit for the ProxyShell flaws, which ultimately led to the deployment of a backdoor called “FinanceSvcModel.dll” but not before a period of reconnaissance.
“The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration,” security researcher Hardik Suri explained.
To mitigate such attacks, it’s recommended to apply the latest security updates for server components as soon as possible, keep antivirus and other protections enabled, review sensitive roles and groups, and restrict access by practicing the principle of least-privilege and maintaining good credential hygiene.