Pierluigi Paganini July 27, 2022

Threat actors are increasingly abusing Internet Information Services (IIS) extensions to maintain persistence on target servers.

Microsoft warns of threat actors that are increasingly abusing Internet Information Services (IIS) extensions to establish covert backdoors into servers and maintain persistence in the target networks.

IIS backdoors are also hard to detect because they follow the same code structure as legitimate and harmless modules.

“Malicious IIS extensions are less frequently encountered in attacks against servers, with attackers often only using script web shells as the first stage payload. This leads to a relatively lower detection rate for malicious IIS extensions compared to script web shells.” reads the advisory published by Microsoft. “IIS backdoors are also harder to detect since they mostly reside in the same directories as legitimate modules used by target applications, and they follow the same code structure as clean modules. In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection.”

The attackers usually exploit a critical vulnerability in the hosted application to gain initial access and drop a script web shell as the first stage of the attack chain. Then the web shell is used to install a rogue IIS module that establishes persistent access to the server which is hard to discover. The shell also monitors incoming and outgoing requests and runs commands sent by remote attackers, it also allows attackers to dump credentials in the background as the user authenticates to the web application.

In early July, researchers from Kaspersky Lab discovered a new ‘SessionManager’ Backdoor that was employed in attacks targeting Microsoft IIS Servers since March 2021.

SessionManager is written in C++, it is a malicious native-code IIS module that is loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server.

The attackers were exploring the ProxyLogon vulnerabilities in Exchange Server to launch the SessionManager.

Microsoft researchers also detailed a campaign that took place between January and May 2022, threat actors targeted Exchange servers exploiting the ProxyShell flaws to ultimately deploy a backdoor called “FinanceSvcModel.dll.”

“After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:\inetpub\wwwroot\bin\. The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration, as detailed below.” continues the analysis.

Microsoft grouped the malicious IIS extensions observed over the past year in the following categories:

• Web shell-based variants;
• Open-source variants;
• IIS handlers;
• Credential stealers;

To mitigate ISS backdoor attacks, experts recommend to:

• install the latest security updates, especially for server components;
• enable antivirus and other security protections;
• review sensitive roles and groups;
• restrict access by applying the principle of least privilege;
• prioritize alerts;
• inspect config file and bin folder;

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft)

[adrotate banner=”5″]

[adrotate banner=”13″]